search

code-423n4 / 2022-06-canto-v2-findings

0 stars 0 forks source link

admin may rug the project intentionallly or unintentionally if he set the wrong address. #137

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/Plex-Engineer/lending-market-v2/blob/443a8c0fed3c5018e95f3881a31b81a555c42b2d/contracts/Accountant/AccountantDelegate.sol#L17

Vulnerability details

Impact

Detailed description of the impact of this finding.

admin may rug the project intentionallly or unintentionally if he set the wrong address.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

function initialize( address treasury_, address cnoteAddress_, address noteAddress_, address comptrollerAddress_) external

the admin need to init treasury, conteaAddress, nodeAddress, comptrollerAddress.

Tools Used

VIM

Recommended Mitigation Steps

nivasan1 commented 2 years ago

The admin of the protocol is Timelock, as such, any method call/arguments must be validated through cosmos-sdk governance.

GalloDaSballo commented 2 years ago

Worst case scenario would require a re-deploy. In lack of any additional detail am downgrading to QA