search

code-423n4 / 2024-03-saltyio-mitigation-findings

0 stars 0 forks source link

M-07 MitigationConfirmed #53

Open c4-bot-7 opened 4 months ago

c4-bot-7 commented 4 months ago

Lines of code

Vulnerability details

Lines of code

Vulnerability details

C4 Issue

https://github.com/code-423n4/2024-01-salty-findings/issues/838

Comments

The ManagedWallet's receive function oversight fails to reset proposedMainWallet to a null address following a rejection by the confirmation wallet, thus blocking any future wallet change proposals. Specifically, when the confirmation wallet sends less than 0.05 ether to signify rejection of a wallet change proposal, although activeTimelock is adjusted appropriately, proposedMainWallet remains unchanged. This oversight conflicts with the proposeWallets function's prerequisite that proposedMainWallet must be address(0) to accept new proposals. As a result, once a change is rejected, the system is locked in a state where no further proposals for changing the main and confirmation wallets can be submitted, effectively freezing the ability to update wallet addresses indefinitely.

Mitigation

https://github.com/othernet-global/salty-io/commit/5766592880737a5e682bb694a3a79e12926d48a5

The issue primarily resided in logic within the ManagedWallet contract. This has been entirely deprecated, and replaced by a simple address representing the team wallet.

Conclusion

LGTM

c4-judge commented 4 months ago

Picodes marked the issue as satisfactory