chase-manning
commented
2 years ago It is intended that there is a 3 day delay here. No updates needed.
Closed code423n4 closed 2 years ago
chase-manning
commented
2 years ago It is intended that there is a 3 day delay here. No updates needed.
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/vault/VaultReserve.sol#L23-L25
Vulnerability details
The public variable 'minWithdrawalDelay' in VaultReserve.sol is set during contract creation, however there is no provision to change this value at any later time, either to a lower or higher value.
Impact
In the event of any emergency or any other circumstances, when funds are needed to be moved out or withdrawn from the VaultReserve, then there will be a worst case of 3 days of delay before which the funds can be withdrawn, because of _lastWithdrawal updation and fixed value of minWithdrawalDelay. This may not be the desirable behaviour wanted by the protocol.
Recommended Mitigation Steps
Add a function to change the value of minWithdrawalDelay, with onlyGovernance or other appropriate modifier.