search

code-423n4 / 2022-03-volt-findings

0 stars 0 forks source link

QA Report #16

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

1) onlyGovernor Call revokeGovernor() Should Take Extra Care

Risk Level: Low

Impact

onlyGovernor is the Super User in this Protocol. onlyGovernor can change all the roles in this protocol. onlyGovernor also responsible to set important parameters. Thus, Revoke Governor Role should take extra care.

Proof of Concept

https://github.com/code-423n4/2022-03-volt/blob/main/contracts/core/Permissions.sol#L114-L116

Recommended Mitigation Steps

Suggest revokeGovernor() Add Count Down Time eg. 7 Days as Cooling Down Period to double confirm onlyGovernor want to revoke his Governor role.

ElliotFriedman commented 2 years ago

We agree that you have to be careful with the governor and revoking its abilities. Eventually the VOLT system will move to a timelock and token voting mechanism for governance so there will be a time-locked cool down period built in automatically.