The setRefundDeadlineForProject() function currently allows only the contract owner to set the refundDeadline for any project. This goes against the project gorvenance since the contract owner is not the project admin. This allows for unauthorized refundDeadline modifications for projects.
Only the contract owner, (onlyOwner), can set the refundDeadline, which might not align with the decentralized nature of the project management.
---> Setting refundDeadline for any project would be more appropriate if done by project admin just like the following modifications associated with a project:
transferAdminProject()
claimRefund()
initILOPool()
Tools Used
Manual Review
Recommended Mitigation Steps
Use the onlyProjectAdmin modifier to ensure that only the project admin can modify the refundDeadline.
c4-bot-5
commented
2 months ago
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOManager.sol#L180-L184
Vulnerability details
Impact
The setRefundDeadlineForProject() function currently allows only the
contract ownerto set therefundDeadlinefor any project. This goes against the project gorvenance since thecontract owneris not theproject admin. This allows for unauthorizedrefundDeadlinemodifications for projects.Vulnerability details
Only the contract owner, (
onlyOwner), can set therefundDeadline, which might not align with the decentralized nature of the project management. ---> SettingrefundDeadlinefor any project would be more appropriate if done by project admin just like the following modifications associated with a project:transferAdminProject()claimRefund()initILOPool()Tools Used
Manual Review
Recommended Mitigation Steps
Use the
onlyProjectAdminmodifier to ensure that only the project admin can modify therefundDeadline.Assessed type
Access Control