c4-bot-6 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PowerFarmNFTs/PowerFarmNFTs.sol#L51-L60

Vulnerability details

Description:

If setFarmContract::farmContract address is mistakenly set to a different address, it becomes unchangeable since we require to pass a check of farmContract == ZERO_ADDRESS before we can change the address which in this is going to fail.

Impact:

we cant change farmContract address if it is not the zero address and if there is a need to change, the protocol will hav to redeployt the contract

Tools Used

Manual Review

Proof Of Concept:

    function setFarmContract(
        address _farmContract
    )
        external
        onlyMaster
    {
        if (farmContract == ZERO_ADDRESS) {
            farmContract = _farmContract;
        }
    }

Recommended Mitigation Steps:

Change the setFarmContract logic

Assessed type

call/delegatecall

GalloDaSballo commented 4 months ago

Admin mistake as Med

c4-pre-sort commented 4 months ago

GalloDaSballo marked the issue as insufficient quality report

vm06007 commented 3 months ago

Admin actions are clearly stated as OUT OF SCOPE! Centralization topics of admin inputs are not part of this competition. Please dismiss this.

c4-judge commented 3 months ago

trust1995 marked the issue as unsatisfactory: Out of scope

code-423n4 / 2024-02-wise-lending-findings

[M-3] farmContract address can become unchangeable #297