DexManagerFacet.batchRemoveDex is used to remove many DEXs in the same transaction. However, the return in L73, will push the function to return directly after removing the first DEX in the _dexs list. So the actual implementation will just remove the first element in the list, which could be a serious problem as the contract owner could think that he removes an access to a DEXs while he doesn't.
I put this as high because this affects the ACCESS CONTROL.
Recommendation: remove the return (as simple as that).
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/DexManagerFacet.sol#L73
Vulnerability details
DexManagerFacet.batchRemoveDex
is used to remove many DEXs in the same transaction. However, thereturn
in L73, will push the function to return directly after removing the firstDEX
in the_dexs
list. So the actual implementation will just remove the first element in the list, which could be a serious problem as the contract owner could think that he removes an access to a DEXs while he doesn't. I put this as high because this affects the ACCESS CONTROL.Recommendation: remove the return (as simple as that).