Open hats-bug-reporter[bot] opened 3 months ago
The reported issue concerning the discrepancy between the minDelay
value in the deployment script and the documentation has been reviewed. Here is our detailed perspective:
Documentation Correction: The documentation states that the minimum delay for timelocked operations should be 12 hours, whereas the deployment script sets it to 24 hours. This discrepancy indicates that the documentation needs to be updated to accurately reflect the deployed contract's settings.
Impact Assessment: Since the deployed minDelay
of 24 hours does not introduce any security risks or functional problems, this issue is primarily about aligning the documentation with the actual deployment. Ensuring accurate documentation is essential for maintaining user trust and clarity.
Severity Assessment: Given that this issue does not introduce any vulnerabilities or risks to users, it is classified as low severity. The primary concern is the inconsistency between the documentation and the actual deployment.
Conclusion: The discrepancy between the deployed minDelay
value and the documentation needs to be addressed. We recommend updating the documentation to reflect the deployed minDelay
of 24 hours. This issue is more of a documentation enhancement rather than a security vulnerability.
Status: This issue is a documentation enhancement.
Comment for the Reporter:
Thank you for highlighting this discrepancy. The documentation states that the minimum delay for timelocked operations should be 12 hours, but the contract was deployed with a minDelay
of 24 hours. Since this does not harm users and is more of a documentation issue, we classify it as a low severity enhancement. We can still consider a lower payout for this valid suggestion.
@mihailo-maksa This should be labelled as minor
issue since documentation
were tagged earlier.
Here is our detailed perspective:
The scope includes the core contracts of the Intuition protocol:
Please refer to the readme file for more details on intended behavior and the developer docs.
Thank you for highlighting this discrepancy. We appreciate your input, but our final judgement is that this issue is invalid.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x876246e971474cb7ed99a725abaac463ca9568ba6329ae0d96a09f388347aebd Severity: medium
Description: Description\
To set the critical parameters i.e
Admin
andExit fee
,EthMultiVault.sol
has used timelock mechanism with minimum delay so once this delay is passed then both of these critical parameters can be set inEthMultiVault.sol
contract.minDelay
is the part of General configuration struct which is a part ofEthMultiVault.sol
contract.The issue is that, the deployment script considers
minDelay
as1 days or 24 hours
but the documentation clearly states12 hours
.As per deployment script:
and As per Intuition documentation:
This difference of 12 hours would affect greatly and considering the documentation upto date, this would break the intended design of Intuition protocol for critical setters like
Admin
andExit fee
.The following functions are greatly affected and makes use of
minDelay
to set or validatations, etc. check (@>) to understand the impact due to this issue1)
scheduleOperation()
2)
cancelOperation()
3)
setAdmin()
4)
setExitFee()
It should be noted that,
minDelay
can not be changed once set so this would be treated as Immutable and with this value in production, it surely deviates from documentation so Medium severity is more appropriate here.Recommendations\ Consider using
12 hours
instead of1 days
for minimum delay of critical setters i.eAdmin
andExit fee
.On issue severity\
Low severity if documentation is incorrect and contracts minimum delay is correct and should be corrected as per contest rules such issues are low severity.