Missing updating `nftRenderer` implementation when `SafeManager` address is updated in the `Vault721` contract

[c4-submissions]

Lines of code

https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/proxies/Vault721.sol#L126-L12

Vulnerability details

Impact

• The address of the ODSafeManager is consumed by the NFTRenderer contract to get the SAFE data (VaultParams) to create the json object with NFV description and image so that it can be rendered on the frontend.

• The address of the ODSafeManager in Vault721 contract can be changed by the governance via Vault721.setSafeManager; but when doing so, this change is not synced with the NFTRenderer contract (in Vault721 contract by calling nftRenderer.setImplementation), which will result in wrong data rendered for SAFEs [this is related to another issue where the old safes will not be rendered by the new safe manager ASK SPONSORS]

Proof of Concept

Vault721.setSafeManager function

  function setSafeManager(address _safeManager) external onlyGovernor {
    _setSafeManager(_safeManager);
  }

Tools Used

Manual Testing.

Recommended Mitigation Steps

Sync/reflect updated SafeManager address with the NFTRenderer contract.

Assessed type

Context

[c4-pre-sort]

raymondfam marked the issue as low quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #37

[c4-judge]

MiloTruck marked the issue as not a duplicate

[c4-judge]

MiloTruck marked the issue as unsatisfactory: Invalid

[MiloTruck]

Governance can call updateNftRenderer() afterwards to sync the NFTRenderer contract with the new SafeManager if needed.