Closed code423n4 closed 11 months ago
0xSorryNotSorry marked the issue as primary issue
this should not be a primary issue, see unit tests for expected behavior. It's how a timelock modifies itself through a self call.
ElliotFriedman marked the issue as sponsor disputed
msg.sender
is updated in each external call. The Temporal governor calling this.grantGuardianPause()
will mean that msg.sender == address(this)
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/8694244ebf607a4ed33c0b74f422019fe8eb8d3e/src/core/Governance/TemporalGovernor.sol#L187-L198
Vulnerability details
Impact
External visibility modifier on function that should be callable from address(this). Doesnt seem right.
Proof of Concept
Tools Used
VSC, manual.
Recommended Mitigation Steps
The msg.sender part should not be address(this), as is currently the case: msg.sender == address(this)
Unless I'm mistaken, the above should not be possible?
Assessed type
Access Control