search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

kaysoft - PythFactory.sol contract has an `authorize` function but no `unauthorize` function. #162

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

kaysoft

medium

PythFactory.sol contract has an authorize function but no unauthorize function.

Summary

It is important to be able to revoke authority from an address in case of non compliance or the key to the address is stolen or when the owner of the address becomes malicious.

Vulnerability Detail

PythFactory.sol function has an authorize function but does not have the unauthorize function.

Impact

Protocol will be unable to unauthorize a mailicious address that has already been authorized to call the onlyAuthorized functions.

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial-oracle/contracts/pyth/PythFactory.sol#L53

/// @notice Authorizes a factory's instances to request from this factory's instances
    /// @param factory The factory to authorize
    function authorize(IFactory factory) external onlyOwner {
        callers[factory] = true;
    }

Tool used

Manual Review

Recommendation

Implement the unauthorize function in the PythFactory.sol contract.

sherlock-admin commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

141345 commented:

l

panprog commented:

low (invalid) because owner is trusted and caller is supposed to be only the Market contract which can't become malicious