Open hats-bug-reporter[bot] opened 2 months ago
OOS, Invalid
@0xmahdirostami i think brother, you are missing what sponsors added in github readme, there they clearly stated that for the contract VoterUpgradeableV1_2.sol
and VotingEscrowUpgradeableV1_2.sol
, only the changes made are inscope or if the vulnerability is critical
And you can clearly see that both the setVoterAdmin() and setGovernance() have been introduced after the changes, look in docs/diff/*
both setVoteradmin(address) and setGovernance(address) have been introduced after changes
thanks, but the scope that they give me is :
please check this page https://app.hats.finance/audit-competitions/fenix-0x9d7765a7ebd5b6322a30797a44a5428531970d3d/scope
i raised this issue in discord, lets wait for what sponsors and internal hats teams says about this, cause yesterday these were listed as inscope in hats dapp even after the contest was live for a bit and secondly the github scope says the otherwise, lets wait brother
for now, I will judge these submissions as well
non-issue, centralized category
Github username: @burhankhaja Twitter username: imaybeghost Submission hash (on-chain): 0x641b4259d48658553f538f2e60c062da5f82842266ac07286933095c81673bc2 Severity: low
Description: Description\ The function setVoterAdmin() transfer
voteradmin
role to a new address. similarly setGovernance() transfersgovernance
role to a new address. former can only be called byvoteradmin
while the later can only be called bygovernance
.In case a wrong address is supplied, both the cruicial roles will be takenover, and there will be no way to save the protocol from bloodshed.
Recommendation\ Consider implementing a two step voteradmin and governance transfer, where the new voteradmin and governor is not directly handed the role, rather they can claim the role just like the openzepplen two step ownership transfers work
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)