Open hats-bug-reporter[bot] opened 7 months ago
Thank you for the submission.
If we call GaugeFactoryUpgradeable.setDistribution(), in GaugeUpgradeable.setDistribution(), msg.sender will be GaugeFactoryUpgradeable, which will cause a transaction to fail. I agree with this.
This view shows that the address update function via setDistribution is not working, but it doesn't cause any other problems as long as it exists. The address update is still available via a direct call to GaugeUpgradeable, which is even cheaper in terms of gas
Github username: @0xRizwan Twitter username: 0xRizwann Submission hash (on-chain): 0x92d750511244e578f717387ba7dc6ca37b88548ac3fb7c0056bf68d50d6165ac Severity: medium
Description: Description\
GaugeFactoryUpgradeable.setDistribution()
is used to set theDISTRIBUTION
address.This function calls setDistribution from guage contract which looks as below per implementation,
GaugeUpgradeable.setDistribution()
This function can only be accessed by
onlyOwner
and this modifier implementation is shown as below,This means
GaugeUpgradeable.setDistribution()
can only be accessed by owner ofgaugeFactory
.However,
GaugeFactoryUpgradeable.setDistribution()
will always revert as the msg.sender is theGaugeFactoryUpgradeable
address who is callingIGauge(_gauge).setDistribution(_newDistribution);
and the this sub function is expecting to be accessed by owner of guageFactory.This will be permanent failure while accessing this function.
Recommendations\
Allow the
gaugeFactory
to access theGaugeUpgradeable.setDistribution()
.Add changes in
GaugeUpgradeable.sol