Open code423n4 opened 1 year ago
https://github.com/code-423n4/2023-02-malt/blob/main/contracts/GlobalImpliedCollateralService.sol#L116
GlobalImpliedCollateralService.setPoolUpdater() removes the updater when _updater == oldUpdater.
GlobalImpliedCollateralService.setPoolUpdater()
_updater == oldUpdater
GlobalImpliedCollateralService.setPoolUpdater() is used to set or update the pool updaters.
function setPoolUpdater(address _pool, address _updater) external onlyRoleMalt(UPDATER_MANAGER_ROLE, "Must have updater manager role") { require(_updater != address(0), "GlobImpCol: No addr(0)"); poolUpdaters[_updater] = _pool; address oldUpdater = poolUpdatersLookup[_pool]; emit SetPoolUpdater(_pool, _updater); poolUpdaters[oldUpdater] = address(0); //@audit doesn't work when _update = oldUpdater poolUpdatersLookup[_pool] = _updater; }
But it removes the oldUpdater after setting the new updater so it will reset poolUpdaters[_updater] when _updater == oldUpdater.
oldUpdater
poolUpdaters[_updater]
As a result, the original updater won't have a relevant role.
Manual Review
Recommend checking _update != oldUpdater.
_update != oldUpdater
function setPoolUpdater(address _pool, address _updater) external onlyRoleMalt(UPDATER_MANAGER_ROLE, "Must have updater manager role") { require(_updater != address(0), "GlobImpCol: No addr(0)"); poolUpdaters[_updater] = _pool; address oldUpdater = poolUpdatersLookup[_pool]; require(_updater != oldUpdater, "Same updater"); //+++++++++++++++++++ emit SetPoolUpdater(_pool, _updater); poolUpdaters[oldUpdater] = address(0); poolUpdatersLookup[_pool] = _updater; }
0xScotch marked the issue as sponsor confirmed
Downgrading to Low as this boils down to adding a safety check on an admin function.
Picodes changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-02-malt/blob/main/contracts/GlobalImpliedCollateralService.sol#L116
Vulnerability details
Impact
GlobalImpliedCollateralService.setPoolUpdater()
removes the updater when_updater == oldUpdater
.Proof of Concept
GlobalImpliedCollateralService.setPoolUpdater()
is used to set or update the pool updaters.But it removes the
oldUpdater
after setting the new updater so it will resetpoolUpdaters[_updater]
when_updater == oldUpdater
.As a result, the original updater won't have a relevant role.
Tools Used
Manual Review
Recommended Mitigation Steps
Recommend checking
_update != oldUpdater
.