sherlock-audit / 2023-06-Index-judging

6 stars 2 forks source link

seerether - The execution settings and auction parameters still remain in storage even when the module is removed from the SetToken #52

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

seerether

high

The execution settings and auction parameters still remain in storage even when the module is removed from the SetToken

Summary

The removeModule function only deletes the rebalanceInfo and permissionInfo mappings associated with the SetToken, but it does not delete the executionInfo mapping.

Vulnerability Detail

The removeModule does not delete the execution settings of the SetToken, including the auction parameters. The executionInfo mapping stores the auction execution parameters for each component of the SetToken. If a module is removed and then re-added to the SetToken, the executionInfo mapping will still contain the old auction parameters from the previous configuration. This can lead to unexpected behavior or security vulnerabilities if the module relies on the auction parameters being reset when it is added back to the SetToken.

Impact

This will lead to incorrect pricing during rebalances and also allow unauthorized users to access or modify the auction parameters.

Code Snippet

https://github.com/sherlock-audit/2023-06-Index/blob/main/index-protocol/contracts/protocol/modules/v1/AuctionRebalanceModuleV1.sol#L515

Tool used

Manual Review

Recommendation

Add a line of code to delete the corresponding entry in the executionInfo mapping https://github.com/seerether/Index/blob/53fa86f25b1087da9c43e964b9be1595c67754ef/Indexmitigate5#L10