search

sherlock-audit / 2023-01-derby-judging

4 stars 1 forks source link

josephdara - Add protocol #414

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

josephdara

high

Add protocol

Summary

High Blacklisted protocols can be added again with a new protocol number with the addProtcol function in controller.sol. There is no check implemented to prevent a blacklisted protocol from being readded since a new protocolNumber is computed for it in addProtocol.

Impact

Through an error, the Dao can add a blacklisted protocol.

Code Snippet

https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Controller.sol#L146 ` function addProtocol( string calldata _name, uint256 _vaultNumber, address _provider, address _protocolLPToken, address _underlying, address _govToken, uint256 _uScale ) external onlyDao returns (uint256) { uint256 protocolNumber = latestProtocolId[_vaultNumber];

protocolNames[_vaultNumber][protocolNumber] = _name;
protocolGovToken[_vaultNumber][protocolNumber] = _govToken;
protocolInfo[_vaultNumber][protocolNumber] = ProtocolInfoS(
  _protocolLPToken,
  _provider,
  _underlying,
  _uScale
);

emit SetProtocolNumber(protocolNumber, _protocolLPToken);

latestProtocolId[_vaultNumber]++;

return protocolNumber;

}`

Tool used

Remix

Manual Review

Recommendation

I suggest a new mapping from an address to a uint to manage blacklisted protocols and a require statement in addProtocol.

Vulnerability Detail

This can enable malicious protocols