The setRefundDeadlineForProject() function currently allows only the contract owner to set the refundDeadline for any project. This goes against the project gorvenance since the contract owner is not the project admin. This allows for unauthorized refundDeadline modifications for projects.
Only the contract owner, (onlyOwner), can set the refundDeadline, which might not align with the decentralized nature of the project management.
---> Setting refundDeadline for any project would be more appropriate if done by project admin just like the following modifications associated with a project:
transferAdminProject()
claimRefund()
initILOPool()
Tools Used
Manual Review
Recommended Mitigation Steps
Use the onlyProjectAdmin modifier to ensure that only the project admin can modify the refundDeadline.
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOManager.sol#L180-L184
Vulnerability details
Impact
The setRefundDeadlineForProject() function currently allows only the
contract owner
to set therefundDeadline
for any project. This goes against the project gorvenance since thecontract owner
is not theproject admin
. This allows for unauthorizedrefundDeadline
modifications for projects.Vulnerability details
Only the contract owner, (
onlyOwner
), can set therefundDeadline
, which might not align with the decentralized nature of the project management. ---> SettingrefundDeadline
for any project would be more appropriate if done by project admin just like the following modifications associated with a project:transferAdminProject()
claimRefund()
initILOPool()
Tools Used
Manual Review
Recommended Mitigation Steps
Use the
onlyProjectAdmin
modifier to ensure that only the project admin can modify therefundDeadline
.Assessed type
Access Control