Open hats-bug-reporter[bot] opened 7 months ago
Thank you for the submission.
Once blastGovernor
has been setted for a contract, it is no longer possible to change this address from the contract, the rights to it are transferred to blastGovernor. The further transfer and installation of blastGovernor
at the address is carried out by directly contacting blastGovernor
to Blast
contract.
For factories, it is possible to set the defaultBlastGovernor
for only new contracts. For those that are already deployed, the only and predictable way is to transfer rights by directly calling the Blast contract from the previous defaultBlastGovernor
Github username: -- Twitter username: -- Submission hash (on-chain): 0x448a641d442228e8669be554a6eec35dd2be3b377f9f984e891cc4f6c7f32b22 Severity: medium
Description: Description
In some contracts, such as
BribeFactoryUpgradeable
,PairFactoryUpgradeable
,GaugeFactoryUpgradeable
,FeesVaultFactory
,AlgebraFactory
, there is a functionsetDefaultBlastGovernor
.This function is intended to update
defaultBlastGovernor
, and there is no check if thedefaultBlastGovernor
is already assign or still empty. If thedefaultBlastGovernor
is designed to only be assign once, then there should be a check, such asrequire(defaultBlastGovernor == address(0), "already set");
.Thus, by this assumption, there is a possible case the existing
defaultBlastGovernor
will be replaced or updated into a new address.In many contract instance which inherits
BlastGovernorSetup
, the case when the blast governor need to be updated, there is no available function to update this. For example, inBribeUpgradable
the change of blastgov
is only through__BlastGovernorSetup_init(governor_);
ininitialize
. There is no way to change this governor again.Whenever the Bribe Contract Factory change it's
defaultBlastGovernor
, then the already deployed (Bribe
) contract will not be able to update this new blast gov, because lack of access to trigger the__BlastGovernorSetup_init
(as it's an internal function inBlastGovernorSetup
)For example,
Fenix
contract as follow,here the
blastGovernor_
is more likely animmutable
value, because theblastGovernor_
is fixed. But, inBribeFactoryUpgradeable
, the_blastGovernor
can be updated, which make sense since theBribe
instance will be created using thisdefaultBlastGovernor
.But my issue is, when the blast governor is being changed due to some issue, the deployed
Bribe
s andFenix
contract are unable to update the governor address.Attack Scenario
When there is need to change default blast governor, as the function allowed for changing this value, then the already deployed contracts will use the old governor. The issue will be came serious when the change of this default blast governor is compromised, and there is no way to change the gov.
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
for example, we use a
IBribeFactory
reference, inand modify
Recommendation
Consider to implement an external function to reconfigure blast governor, and trigger the call on
setDefaultBlastGovernor
for example.