There is no ability to change manager for this contract. There is good reason that contracts allow ownership to change. If this manager account is compromised, you would need to redeploy 'Blocklist' entirely and migrate the old values. That could be very difficult in a hurry and would result in either having to effectively unblock all accounts temporarily whilst the old blocklist is migrated, or it would require allowing the compromised blocklist manager to remain in place until the proper migration is complete, which would allow them to block legitimate users from creating or updating locks.
Recommended Mitigation Steps
Add a function to change manager to a new value, preferably including zero address checks and a propose/accept pattern.
Lines of code
https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/features/Blocklist.sol#L11
Vulnerability details
Impact
There is no ability to change
manager
for this contract. There is good reason that contracts allow ownership to change. If thismanager
account is compromised, you would need to redeploy 'Blocklist' entirely and migrate the old values. That could be very difficult in a hurry and would result in either having to effectively unblock all accounts temporarily whilst the old blocklist is migrated, or it would require allowing the compromised blocklistmanager
to remain in place until the proper migration is complete, which would allow them to block legitimate users from creating or updating locks.Recommended Mitigation Steps
Add a function to change
manager
to a new value, preferably including zero address checks and a propose/accept pattern.