search

code-423n4 / 2024-05-predy-validation

0 stars 0 forks source link

Inability to Disable allowedUniswapPools Once Enabled #603

Closed c4-bot-2 closed 4 months ago

c4-bot-2 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-predy/blob/main/src/PredyPool.sol#L109-L111

Vulnerability details

Impact

The registerPair function in the smart contract allows an operator to register a new trading pair by invoking the AddPairLogic.addPair function. However, there is no mechanism to disable the allowedUniswapPools feature once it has been set to true, which could lead to unwanted or potentially harmful interactions with Uniswap pools.

Proof of Concept

Once the allowedUniswapPools feature is enabled, there is no provided method to disable it. This lack of flexibility could pose risks or limitations in the contract's operational management, particularly if future circumstances require disabling interactions with Uniswap pools.

In AddPairLogic::addPair https://github.com/code-423n4/2024-05-predy/blob/main/src/libraries/logic/AddPairLogic.sol#L89

allowedUniswapPools[_addPairParam.uniswapPool] = true;

https://github.com/code-423n4/2024-05-predy/blob/main/src/PredyPool.sol#L109-L111

//@audit no way to disable allowedUniswapPools if once true
function registerPair(AddPairLogic.AddPairParams memory addPairParam) external onlyOperator returns (uint256) {
    return AddPairLogic.addPair(globalData, allowedUniswapPools, addPairParam);
}

Tools Used

Manual Review

Recommended Mitigation Steps

Introduce a mechanism to disable allowedUniswapPools as needed, providing greater control over the contract’s behavior.

Assessed type

Context