search

code-423n4 / 2022-06-infinity-findings

4 stars 0 forks source link

Missing events/timelocks for critical parameter changing functions by `InfinityStaker` owner #342

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/staking/InfinityStaker.sol#L351 https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/staking/InfinityStaker.sol#L364 https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/staking/InfinityStaker.sol#L375

Vulnerability details

Impact

A InfinityStaker owner can change critical parameters such as rage-quit penalties, staking level thresholds and the penalty treasury receiver.

None of these setter functions emit events to record these changes on-chain for off-chain monitors/tools/interfaces to register the updates and react if necessary.

Neither are timelocks used to allow users to react in a timely manner.

Proof of Concept

Missing events:

InfinityStaker.sol#L351

function updateStakeLevelThreshold

InfinityStaker.sol#L364

function updatePenalties

InfinityStaker.sol#L375

function updateInfinityTreasury

Missing timelocks:

InfinityStaker.sol#L351

function updateStakeLevelThreshold

InfinityStaker.sol#L364

function updatePenalties

InfinityStaker.sol#L375

function updateInfinityTreasury

Tools Used

Manual review

Recommended mitigation steps

Add events to all mentioned functions that change critical parameters. Add timelocks (similar to InfinityToken) to introduce time delays for critical parameter changes.

HardlyDifficult commented 2 years ago

Good recommendation. Lowering risk and merging with the warden's QA report #345