search

code-423n4 / 2023-01-popcorn-findings

0 stars 0 forks source link

quitPeriod can not be changed since setQuitPeriod() is never called from VaultController #731

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/Vault.sol#L629

Vulnerability details

Impact

There is no implementation of a function in the VaultController that calls the setQuitPeriod() function. There is therefore no way to change the quitPeriod().

Proof of Concept

Vault are suppoed to be able to have a quitPeriod of 1-7 days. Since no function in the VaultController has been implemented to call the quitPeriod can not be changed.

Being able to change the quitPeriod is an important functionality. Extending it is an important security feature that is needed if dangerous or contentious changes are proposed.

Tools Used

manual review

Recommended Mitigation Steps

Add a function to the VaultController that calls the setQuitPeriod().

c4-sponsor commented 1 year ago

RedVeil marked the issue as sponsor confirmed

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Invalid