Controller.sol has a whitelist mechanism, but no function to remove the whitelist vault.
function addVault(address _vault) external onlyDao {
vaultWhitelist[_vault] = true;
}
Vulnerability Detail
Once an vault address has been added to the whitelist, it is not possible to remove him from the whitelist.
The vault address may be compromised and need to be removed. It is therefore important to create a mechanism from which one can remove the whitelist vault address.
Impact
The vault address may be compromised and need to be removed.
whitelist which is used for a modifier which grants the vaults access to our controller functions. Not being able to disable this is an inconvenience, not more.
tsvetanovv
medium
Missing functionality to remove whitelist vault
Summary
Controller.sol has a whitelist mechanism, but no function to remove the whitelist
vault
.Vulnerability Detail
Once an
vault
address has been added to the whitelist, it is not possible to remove him from the whitelist. The vault address may be compromised and need to be removed. It is therefore important to create a mechanism from which one can remove the whitelistvault
address.Impact
The vault address may be compromised and need to be removed.
Code Snippet
https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Controller.sol#L175
Tool used
Manual Review
Recommendation
Add function
removeVault()
: