search

code-423n4 / 2024-05-munchables-validation

0 stars 0 forks source link

Uniform USD Price Update for Multiple Tokens in `_execUSDPriceUpdate` Function #605

Open c4-bot-6 opened 6 months ago

c4-bot-6 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L506

Vulnerability details

Impact

The _execUSDPriceUpdate function sets the same USD price for all token contracts in the provided array. This can lead to incorrect price updates if different tokens have different USD prices, potentially causing financial discrepancies and inaccuracies in the system.

Proof of Concept

In the _execUSDPriceUpdate function, the same USD price is applied to all token contracts in the array:

function _execUSDPriceUpdate() internal {
        if (
            usdUpdateProposal.approvalsCount >= APPROVE_THRESHOLD &&
            usdUpdateProposal.disapprovalsCount < DISAPPROVE_THRESHOLD
        ) {
            uint256 updateTokensLength = usdUpdateProposal.contracts.length;
            for (uint256 i; i < updateTokensLength; i++) {
                address tokenContract = usdUpdateProposal.contracts[i];
                if (configuredTokens[tokenContract].nftCost != 0) {
                    configuredTokens[tokenContract].usdPrice = usdUpdateProposal
                        .proposedPrice;

                    emit USDPriceUpdated(
                        tokenContract,
                        usdUpdateProposal.proposedPrice
                    );
                }
            }

            delete usdUpdateProposal;
        }
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Ensure that the USD price update is specific to each token contract. Modify the proposal structure to include a mapping of token contracts to their proposed prices and update the proposal functions accordingly.

Assessed type

Context