search

code-423n4 / 2024-03-saltyio-mitigation-findings

0 stars 0 forks source link

H-01 MitigationConfirmed #33

Open c4-bot-8 opened 8 months ago

c4-bot-8 commented 8 months ago

Lines of code

Vulnerability details

Summary

H-01 highlighted that during upkeep, the SALT to teamVestingWallet goes via upkeep contract through the call to OZ's VestingWallet::release() function which does not have any access control. Hence, anyone could call release() directly without the knowledge of upkeep and hence locking the SALT forever.

Mitigation

The SALT is now directly sent to the teamWallet with no intermediary, thus mitigating the issue. Even if release() is called directly by a user now, the correct amount is sent to the teamWallet with no disruption visible in the next upkeep() call.

Conclusion

LGTM

c4-judge commented 8 months ago

Picodes marked the issue as satisfactory