Changes in settings do not have restrictions and immediately take effect.
Vulnerability Detail
All the main contracts contain the function file that allows an admin to adjust the settings. While I want to believe the admin will behave like an honest human being, as an auditor based on previous experiences I have to flag this as a potential issue. These file functions provide an admin with great power and control over the protocol, and there are basically no validations against the new values.
Impact
Users can be frontrunned with changes not in their favor and overall the admin has high influence over the protocol.
Inform users, use timelock, and introduce reasonable lower/upper boundaries or slippage for critical parameters. In the future, admin privileges might be transferred to a DAO.
HonorLt
medium
Admin privilleges
Summary
Changes in settings do not have restrictions and immediately take effect.
Vulnerability Detail
All the main contracts contain the function
filethat allows an admin to adjust the settings. While I want to believe the admin will behave like an honest human being, as an auditor based on previous experiences I have to flag this as a potential issue. Thesefilefunctions provide an admin with great power and control over the protocol, and there are basically no validations against the new values.Impact
Users can be frontrunned with changes not in their favor and overall the admin has high influence over the protocol.
Code Snippet
https://github.com/sherlock-audit/2022-10-astaria/blob/main/src/AstariaRouter.sol#L134-L195
https://github.com/sherlock-audit/2022-10-astaria/blob/main/src/CollateralToken.sol#L111-L133
https://github.com/sherlock-audit/2022-10-astaria/blob/main/src/LienToken.sol#L81-L100
Tool used
Manual Review
Recommendation
Inform users, use timelock, and introduce reasonable lower/upper boundaries or slippage for critical parameters. In the future, admin privileges might be transferred to a DAO.