The execution settings and auction parameters still remain in storage even when the module is removed from the SetToken
Summary
The removeModule function only deletes the rebalanceInfo and permissionInfo mappings associated with the SetToken, but it does not delete the executionInfo mapping.
Vulnerability Detail
The removeModule does not delete the execution settings of the SetToken, including the auction parameters.
The executionInfo mapping stores the auction execution parameters for each component of the SetToken. If a module is removed and then re-added to the SetToken, the executionInfo mapping will still contain the old auction parameters from the previous configuration. This can lead to unexpected behavior or security vulnerabilities if the module relies on the auction parameters being reset when it is added back to the SetToken.
Impact
This will lead to incorrect pricing during rebalances and also allow unauthorized users to access or modify the auction parameters.
seerether
high
The execution settings and auction parameters still remain in storage even when the module is removed from the SetToken
Summary
The removeModule function only deletes the rebalanceInfo and permissionInfo mappings associated with the SetToken, but it does not delete the executionInfo mapping.
Vulnerability Detail
The removeModule does not delete the execution settings of the SetToken, including the auction parameters. The executionInfo mapping stores the auction execution parameters for each component of the SetToken. If a module is removed and then re-added to the SetToken, the executionInfo mapping will still contain the old auction parameters from the previous configuration. This can lead to unexpected behavior or security vulnerabilities if the module relies on the auction parameters being reset when it is added back to the SetToken.
Impact
This will lead to incorrect pricing during rebalances and also allow unauthorized users to access or modify the auction parameters.
Code Snippet
https://github.com/sherlock-audit/2023-06-Index/blob/main/index-protocol/contracts/protocol/modules/v1/AuctionRebalanceModuleV1.sol#L515
Tool used
Manual Review
Recommendation
Add a line of code to delete the corresponding entry in the executionInfo mapping https://github.com/seerether/Index/blob/53fa86f25b1087da9c43e964b9be1595c67754ef/Indexmitigate5#L10