Any methods that gets installed as a plugin can be executed without hash permission as the call directs to the internal function.
This may become dangerous if exposed method was meant to be callable by owner/permissioned module.
This may be intended, but it's preferable to not allow user to specify address of a token that is controllable by attacker and can be exploited in Buyout and Migration
few LOW / QA findings:
[QA-01] TransferOwnership has no zero-address check
Notably this also allows to create a contract with locked access: deployFor createFor
Results in:
emit TransferOwnership(_oldOwner: VaultFactory: [0x037fc82298142374d974839236d2e2df6b5bdd8f], _newOwner: 0x0000000000000000000000000000000000000000)[LOW-02] Vault.Sol:
fallbackallows to execute any installed method to be executableAny methods that gets installed as a plugin can be executed without hash permission as the call directs to the internal function. This may become dangerous if exposed method was meant to be callable by owner/permissioned module.
[QA-03]
deploy/deployForis callable directlya direct call to VaultFactory does not make a register
VaultRegistryThis may be intended to be deployable directly, but a new deploy will be occured by any
msg.sendercaller in that case.[LOW-04]
createInCollectionallows passing any token's address, which can be a fake FERC1155 or invalidAs the function expects token to pass a
FERC1155, it allows setuping a vault with any token as registry. An arbitrary token may allow to more attack control for that affected vault.This may be intended, but it's preferable to not allow user to specify address of a token that is controllable by attacker and can be exploited in
BuyoutandMigration[LOW-05]
createCollectionForcan setup a token controller with zero addressa controller will not be able to fulfill
onlyControllerchecks in a token if controller address was set 0.[QA-06]
deployVaultcan be deployed with 0 fractionSupply minted