search

code-423n4 / 2024-03-saltyio-mitigation-findings

0 stars 0 forks source link

H-01 MitigationConfirmed #41

Open c4-bot-3 opened 4 months ago

c4-bot-3 commented 4 months ago

Lines of code

Vulnerability details

C4 Issue

https://github.com/code-423n4/2024-01-salty-findings/issues/712

Comments

The original issue highlighted the fact that on performing upkeep, step 11 of perfomUpkeep which "Sends SALT from the team vesting wallet to the team" sent it first from the vesting wallet to the upkeep contract, and then to the team wallet. The problem was three fold:

  1. that the vesting wallet beneficiary was the upkeep contract.
  2. that the release function was callable by anyone.
  3. that upkeep didn't know how many SALT has been distributed in advance, hence it has no way to transfer it to the development team, effectively locking salt in upkeep.

Mitigation

https://github.com/othernet-global/salty-io/commit/5766592880737a5e682bb694a3a79e12926d48a5

As is evident in the lines of code below, The final mitigation for this was to simply set the beneficiary of vesting to be the team wallet(was previously the deprecated managed team contract) address instead of upkeep. therefore any time release is called, either through upkeep process or via third party, the salt is directly transferred to the team wallet, preventing any lockup of salt.

https://github.com/othernet-global/salty-io/blob/d47eae920d5840afadd5fd5d1fd0d6da0107c034/src/dev/Deployment.sol#L214 https://github.com/othernet-global/salty-io/blob/d47eae920d5840afadd5fd5d1fd0d6da0107c034/src/Upkeep.sol#L164

Conclusion

LGTM

c4-judge commented 4 months ago

Picodes marked the issue as satisfactory