Closed howlbot-integration[bot] closed 1 month ago
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/lib.rs#L1121
The update_emergency_council_7_D_0_C_1_C_58() function is intended to update the emergency council address, which is a critical security role. However, the function actually updates the nft_manager instead of the emergency_council:
update_emergency_council_7_D_0_C_1_C_58()
nft_manager
emergency_council
#[allow(non_snake_case)] pub fn update_emergency_council_7_D_0_C_1_C_58( &mut self, manager: Address, ) -> Result<(), Revert> { assert_eq_or!( msg::sender(), self.seawater_admin.get(), Error::SeawaterAdminOnly ); self.nft_manager.set(manager); Ok(()) }
This error leads to a situation where the emergency council cannot be updated as intended, and the NFT manager can be changed unexpectedly.
seawater_admin
Manual review
The function should be corrected to update the emergency_council instead of the nft_manager.
Other
alex-ppg changed the severity to 3 (High Risk)
alex-ppg marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/lib.rs#L1121
Vulnerability details
The
update_emergency_council_7_D_0_C_1_C_58()
function is intended to update the emergency council address, which is a critical security role. However, the function actually updates thenft_manager
instead of theemergency_council
:This error leads to a situation where the emergency council cannot be updated as intended, and the NFT manager can be changed unexpectedly.
Impact
Proof of Concept
seawater_admin
callsupdate_emergency_council_7_D_0_C_1_C_58()
with a new address, intending to update the emergency council.emergency_council
, it updatesnft_manager
.emergency_council
remains unchanged, whilenft_manager
is now set to the new address.Tools Used
Manual review
Recommended Mitigation Steps
The function should be corrected to update the
emergency_council
instead of thenft_manager
.Assessed type
Other