`operator` role it's handled in a way that can damage the protocol

[code423n4]

Lines of code

https://github.com/code-423n4/2022-10-inverse/blob/cc281e5800d5860c816138980f08b84225e430fe/src/BorrowControl.sol#L1

Vulnerability details

operator role it's handled in a way that can damage the protocol

Impact

Same logic is being deployed several times, for maintainability is hardly recommended to not copy paste same logic many times but inherit it.

Also there is an issue in BorrowController with: https://github.com/code-423n4/2022-10-inverse/blob/aaf717f13c1f9a6e2f0888fef7c9b40400eeb4ec/src/BorrowController.sol#L26

function setOperator(address _operator) public onlyOperator { operator = _operator; }

In the first case we can see a simple transfer of privileges. This one:

• Doesn't check for 0 address
• If mistakenly put the address, operator privileges will be lost and forced to be redeployed the contract in case it want to be recovered. This would lead to:

1. Some functions not being usable until redeployed BorrowController.sol (allow(), deny(), setOperator()) This means that markets can't being denied in case they get compromised And neither can be allowed new markets
2. Extra gas cost for redeploying
3. Reputational damage (most of the times more valuable than the previous one)

• Doesn't emit an event that helps monitoring off-chain, this would make more probable the fact that

Basically this way is error prone, an not recommended.

As we can see in the other files, operator role is managed better, these files use a double step transfer process, where first pendingOperator is assigned, then it's claimed by the pending address:

https://github.com/code-423n4/2022-10-inverse/blob/aaf717f13c1f9a6e2f0888fef7c9b40400eeb4ec/src/DBR.sol#L53 https://github.com/code-423n4/2022-10-inverse/blob/cc281e5800d5860c816138980f08b84225e430fe/src/Oracle.sol#L44

function setPendingOperator(address newOperator_) public onlyOperator { pendingOperator = newOperator_; }

    function claimOperator() public {
        require(msg.sender == pendingOperator, "ONLY PENDING OPERATOR");
        operator = pendingOperator;
        pendingOperator = address(0);
        emit ChangeOperator(operator);
    }

In this case,

• events are emitted when claimed
• 0 address can't be assigned as it has to claim the role
• there is time to correct a human error

Details

All of these methods can be grouped into a single contract

Methods involved:

• onlyOperator
• setPendingOperator
• claimOperator
• setOperator

Params involved:

• operator
• pendingOperator

Events involved:

• ChangeOperator

Github Permalinks

https://github.com/code-423n4/2022-10-inverse/blob/cc281e5800d5860c816138980f08b84225e430fe/src/DBR.sol# https://github.com/code-423n4/2022-10-inverse/blob/cc281e5800d5860c816138980f08b84225e430fe/src/Oracle.sol# https://github.com/code-423n4/2022-10-inverse/blob/cc281e5800d5860c816138980f08b84225e430fe/src/BorrowControl.sol#

Mitigation

• De-duplicated all the hardcoded code by creating a contract with all the logic, then inherit from it
• Also I would suggest not to have setOperator in the operator role contract, in case this method is kept, add at least the event and the 0 check.

[neumoxx]

Inflated severity. Probably should be QA.

[c4-judge]

0xean marked the issue as unsatisfactory: Overinflated severity