There is no ability to change manager for this contract. There is good reason that contracts allow ownership to change. If this manager account is compromised, you would need to redeploy 'Blocklist' entirely and migrate the old values. That could be very difficult in a hurry and would result in either having to effectively unblock all accounts temporarily whilst the old blocklist is migrated, or it would require allowing the compromised blocklist manager to remain in place until the proper migration is complete, which would allow them to block legitimate users from creating or updating locks.
Recommended Mitigation Steps
Add a function to change manager to a new value, preferably including zero address checks and a propose/accept pattern.
lacoop6tu
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/features/Blocklist.sol#L11
Vulnerability details
Impact
There is no ability to change
managerfor this contract. There is good reason that contracts allow ownership to change. If thismanageraccount is compromised, you would need to redeploy 'Blocklist' entirely and migrate the old values. That could be very difficult in a hurry and would result in either having to effectively unblock all accounts temporarily whilst the old blocklist is migrated, or it would require allowing the compromised blocklistmanagerto remain in place until the proper migration is complete, which would allow them to block legitimate users from creating or updating locks.Recommended Mitigation Steps
Add a function to change
managerto a new value, preferably including zero address checks and a propose/accept pattern.