search

code-423n4 / 2024-05-munchables-findings

3 stars 1 forks source link

approveUSDPrice() only checks for prior approve but not for disapprove #477

Closed howlbot-integration[bot] closed 3 months ago

howlbot-integration[bot] commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L177

Vulnerability details

Impact

disapproveUSDPrice() check if pricefeed has approved or disapproved the price earlier

 if (usdUpdateProposal.approvals[msg.sender] == _usdProposalId)
            revert ProposalAlreadyApprovedError();
        if (usdUpdateProposal.disapprovals[msg.sender] == _usdProposalId)
            revert ProposalAlreadyDisapprovedError();

But approveUSDPrice() only checks for approved

     if (usdUpdateProposal.approvals[msg.sender] == _usdProposalId)
            revert ProposalAlreadyApprovedError();

PriceFeed can first disapprove the price and the approve the price

Proof of Concept

PriceFeed can first disapprove the price and the approve the price

Tools Used

VS code

Recommended Mitigation Steps

Add similar check in approveUSDPrice() as disapproveUSDPrice()

Assessed type

Error

c4-judge commented 3 months ago

alex-ppg marked the issue as satisfactory