search

hats-finance / Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb

Fork of the Inverter Smart Contracts Repository
GNU Lesser General Public License v3.0
0 stars 3 forks source link

`InverterBeacon_v1`: Possible to to block new updates #11

Open hats-bug-reporter[bot] opened 1 month ago

hats-bug-reporter[bot] commented 1 month ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xfe25a0c906257e4d19f35ede55b581b83d2a1dab4db90ac651fdcffa0cae5626 Severity: low

Description:

Description

The governor contract has the authority (team or community multisig) to upgrade an InverterBeacon_v1 via upgradeTo() call. There is a check to see if the new minor version is greater than the previous one the modifier validNewMinorVersion().

    modifier validNewMinorVersion(uint newMinorVersion) {
        if (newMinorVersion <= minorVersion) {
            revert InverterBeacon__InvalidImplementationMinorVersion();
        }
        _;
    }

However the new minor version can be set to uint256.max which will block any potential new update of the beacon contract.

Recommendation

Consider restricting the validNewMinorVersion() modifier to accept only +1 for the new version or below an acceptable limit.

 if (newMinorVersion != minorVersion + 1) { revert(); }
PlamenTSV commented 3 weeks ago

OOS imo

0xmahdirostami commented 3 weeks ago

thanks @PlamenTSV