Open code423n4 opened 1 year ago
0xScotch marked the issue as sponsor confirmed
This is a good find and I think we will just remove the setTimekeeper
methods. There is no reason for the timekeeper to ever be updated at this point given all it does it track epochs.
Historically this method was there because what we now call the timekeeper was called the MaltDAO
and was earmarked to be used for many other things other than timekeeping. Eventually we realised the timekeeping should be separated into its own thing. These methods were clearly forgotten about and not removed.
Picodes marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-02-malt/blob/700f9b468f9cf8c9c5cffaa1eba1b8dea40503f9/contracts/RewardSystem/RewardThrottle.sol#L690-L696
Vulnerability details
Impact
RewardThrottle.setTimekeeper allows POOL_UPDATER_ROLE to update the timekeeper when RewardThrottle is active,
if newTimekeeper.epoch changes, it will cause the following
Proof of Concept
https://github.com/code-423n4/2023-02-malt/blob/700f9b468f9cf8c9c5cffaa1eba1b8dea40503f9/contracts/RewardSystem/RewardThrottle.sol#L690-L696
Tools Used
None
Recommended Mitigation Steps
Consider only allowing setTimekeeper to be called when RewardThrottle is not active