It is possible for operator to remove himself. This will have the contract without any operator. This becomes problem since all functionalities requiring operator role will stop working
Vulnerability Detail
Operator O1 is existing
Operator O1 removes itself by calling remove_operator function
def remove_operator(_to_remove: address):
"""
@notice
Remove an existing operator from the priviledged addresses.
"""
assert self.is_operator[msg.sender], "unauthorized"
assert self.is_operator[_to_remove], "not an operator"
self.is_operator[_to_remove] = False
log OperatorRemoved(_to_remove, msg.sender)
Now no operator is present in contract.
This directly impact function like add_depositor , set_alchemist , set_fund_receiver etc which cannot be called now (callable by operator only)
Impact
Any functionality requiring operator role will not work
csanuragjain
medium
Break contract functionalities
Summary
It is possible for operator to remove himself. This will have the contract without any operator. This becomes problem since all functionalities requiring operator role will stop working
Vulnerability Detail
remove_operatorfunctionadd_depositor,set_alchemist,set_fund_receiveretc which cannot be called now (callable by operator only)Impact
Any functionality requiring operator role will not work
Code Snippet
https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/Vault.vy#L604
Tool used
Manual Review
Recommendation
operator should not be allowed to remove himself and one operator should always remain in system
Duplicate of #46