In a case where either one of the manager addresses the tokenomics, depositiory or dispenser contracts are compromised or deprecated, attempting to replace the compromised manager contract address necessitates an overall replacement of all the other addresses. This not only aggravates the gas consumption of the protocol but will also bring about unnecessary proposal being made by governance for manager addresses which do not need a replacement.
And as such when changes is made to one manager contract, changes are also required for all manager contract addresses.
Proof of Concept
In a situation whereby either of tokenomics, depository or dispenser contract becomes deprecated or compromised or updates needs to made due to issues in logic, changes need to be made for all contract addresess.
For example, If the Tokenomics contract address needs to updated but the dispenser and depository contracts needs no update.
Update to the Tokenomics contract will require additional updates to both the dispenser and depository contract address.
This will require additional proposals being made for the replacement of the two other contracts which isn't needed from the onset.
This can also lead to wrong contract addresses being assigned to the other manager address that were not originally intended to be inputted by the owner of the contract.
Different functions should be made available for the replacement of each manager addresses instead of just one function being used to replace all three managers all at once.
Lines of code
https://github.com/code-423n4/2023-12-autonolas/blob/main/tokenomics/contracts/Treasury.sol#L156-L167
Vulnerability details
Impact
In a case where either one of the manager addresses the tokenomics, depositiory or dispenser contracts are compromised or deprecated, attempting to replace the compromised manager contract address necessitates an overall replacement of all the other addresses. This not only aggravates the gas consumption of the protocol but will also bring about unnecessary proposal being made by governance for manager addresses which do not need a replacement.
And as such when changes is made to one manager contract, changes are also required for all manager contract addresses.
Proof of Concept
In a situation whereby either of tokenomics, depository or dispenser contract becomes deprecated or compromised or updates needs to made due to issues in logic, changes need to be made for all contract addresess.
For example, If the Tokenomics contract address needs to updated but the dispenser and depository contracts needs no update. Update to the Tokenomics contract will require additional updates to both the dispenser and depository contract address.
Tools Used
Manual review, VSCODE
Recommended Mitigation Steps
Different functions should be made available for the replacement of each manager addresses instead of just one function being used to replace all three managers all at once.
Assessed type
Other