search

sherlock-audit / 2023-01-uxd-judging

3 stars 1 forks source link

GimelSec - Hard to change the positions of registered depositors #421

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

GimelSec

medium

Hard to change the positions of registered depositors

Summary

In UXDRouter, only the first registered depositor in _depositoriesForAsset is used. And It is hard to change the positions of registered depositors. If the owner wants to abandon the first registered depositor and use another depositor. The owner can not directly change the positions.

Vulnerability Detail

    function unregisterDepository(address depository, address assetToken)
        external
        onlyOwner
    {
        bool foundByAsset = false;
        address[] storage byAsset = _depositoriesForAsset[assetToken];
        if (byAsset.length == 0) {
            revert NotExists(assetToken);
        }
        for (uint256 i = 0; i < byAsset.length; i++) {
            if (byAsset[i] == depository) {
                foundByAsset = true;
                byAsset[i] = byAsset[byAsset.length - 1];
                byAsset.pop();
                break;
            }
        }
        if (!foundByAsset) {
            revert NotExists(assetToken);
        }

        emit DepositoryUnregistered(assetToken, depository);
    }

If the number of the registered depositors is 10 and the owner wants to use the 5th registered depositor instead of the first depositor. The owner has to take the following step

Impact

It is hard for the owner to choose the desired depositors from _depositoriesForAsset.

Code Snippet

https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDRouter.sol#L59 https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDRouter.sol#L101 https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDRouter.sol#L90

Tool used

Manual Review

Recommendation

Add a function to change the positions of registered depositors

Duplicate of #255