search

sherlock-audit / 2023-06-Index-judging

6 stars 2 forks source link

0x52 - Manger has no way to disable target raises after enabling them #46

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

0x52

medium

Manger has no way to disable target raises after enabling them

Summary

Managers can enable target raises but have no way to ever disable them, which can lead to unexpected and unwanted target increases.

Vulnerability Detail

AuctionRebalanceModuleV1.sol#L413-L428

function setRaiseTargetPercentage(
    ISetToken _setToken,
    uint256 _raiseTargetPercentage
)
    external
    onlyManagerAndValidSet(_setToken)
{
    // Ensure the raise target percentage is greater than 0
    require(_raiseTargetPercentage > 0, "Target percentage must be greater than 0");

    // Update the raise target percentage in the RebalanceInfo struct
    rebalanceInfo[_setToken].raiseTargetPercentage = _raiseTargetPercentage;

    // Emit an event to log the updated raise target percentage
    emit RaiseTargetPercentageUpdated(_setToken, _raiseTargetPercentage);
}

AuctionRebalanceModuleV1#setRaiseTargetPercentage allows the manager to set raiseTargetPercentage but after it has been enabled it can never be turned back off. This can lead to unexpected/malicious target increases. It also leads to excessive lock times because set tokens with a non-zero raiseTargetPercentage can never be unlocked early. The only way to reverse it after enabling it would be to remove the module then re-enabling it. This is considered dangerous according to comments throughout the code since there are many factors to consider

Impact

Target raises cannot be disabled once enabled

Code Snippet

AuctionRebalanceModuleV1.sol#L413-L428

Tool used

Manual Review

Recommendation

Allow raiseTargetPercentage to be set to zero

Duplicate of #38