search

code-423n4 / 2023-01-drips-findings

0 stars 2 forks source link

Admin update lacks two step verification for DripsHub #118

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-drips/blob/main/src/DripsHub.sol#L53 https://github.com/code-423n4/2023-01-drips/blob/main/src/Managed.sol#L84-L86

Vulnerability details

Impact

The main contract of Drips protocol DripsHub inherits changeAdmin() function from Managed to update the admin address.

Inside this function the address is simply changed to a new value. If newAdmin parameter is incorrect by a mistake, in that case admin access will be lost, including the possibility to pause/unpause/upgrade the contract.

Changing admin for DripsHub contract should be done in two steps, because this contact is the most critical contract for the Drips protocol.

Proof of Concept

Tools Used

Manual review.

Recommended Mitigation Steps

Use two-step admin changing for DripsHub contract.

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Overinflated severity

GalloDaSballo commented 1 year ago

NC at best, sent as Med, overly inflated