code-423n4 / 2024-03-neobase-findings

0 stars 0 forks source link

M-01 from previous audit still present #17

Open c4-bot-6 opened 8 months ago

c4-bot-6 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-03-neobase/blob/main/src/GaugeController.sol#L346-L348

Vulnerability details

Proof of Concept

M-01 from previous audit is still present. In this issue sponsor said that fixed it. I tried to check how it was fixed, but the link doesn't work for me.

But change_gauge_weight function still exists which makes it possible to reproduce this. Also remove_gauge_weight function is present, that allows to completely remove gauge and i think that fix was to remove change_gauge_weight function.

Impact

Gauge can have bigger weight than was intended by protocol.

Tools Used

VsCode

Recommendation

Remove change_gauge_weight function.

Assessed type

Error

c4-judge commented 8 months ago

MarioPoneder marked the issue as primary issue

zjesko commented 8 months ago

mitigation PR:

https://github.com/mkt-market/canto-neofinance-coordinator/pull/19

c4-sponsor commented 8 months ago

zjesko (sponsor) confirmed

MarioPoneder commented 7 months ago

https://github.com/code-423n4/2023-08-verwa-findings/issues/294

c4-judge commented 7 months ago

MarioPoneder marked the issue as satisfactory

c4-judge commented 7 months ago

MarioPoneder marked the issue as selected for report