Closed sherlock-admin2 closed 11 months ago
4 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid because this is library function, meaning it's only implementation: smart contract has to delegatecall it to actually update the data using this function
n33k commented:
invalid, ai generated groundless report
darkart commented:
The same as 14
polarzero commented:
Invalid. As above, it is unclear what could happen in the worst case scenario.
0xVinylDavyl
medium
Contract does not implement proper access control mechanisms for the validateAndStore function, there are no checks to restrict access to authorized users.
Summary
The code does not implement proper access control mechanisms for the
validateAndStore
function. As a result, there are no checks to restrict access to authorized users.Vulnerability Detail
The code does not implement proper access control mechanisms for the
validateAndStore
function. As a result, there are no checks to restrict access to authorized users,Impact
The absence of access control mechanisms can have significant security implications:
Code Snippet
validateAndStore
function is defined in the code without access control mechanisms:https://github.com/sherlock-audit/2023-09-perennial/blob/main/perennial-v2/packages/perennial/contracts/types/RiskParameter.sol#L173
there are no access control checks to restrict who can call the
validateAndStore
function.Tool used
Manual Review
Recommendation
mitigate the risk of unauthorized modifications to the risk parameters, it is recommended to implement proper access control mechanisms. One common approach is to use the OpenZeppelin Ownable contract. Here's an example of how this can be done:
By this recommended mitigation step, the
Ownable
contract from OpenZeppelin is imported, and theonlyOwner
modifier is applied to thevalidateAndStore
function. This ensures that only the contract owner (the deployer) can call the function, adding access control to prevent unauthorized modifications. Adjust the access control mechanism as needed to match your specific requirements.