Closed sherlock-admin closed 5 months ago
Technically correct.
Low severity. The issue would not affect the treasury valuation (which is the purpose of all of this), and removeAsset()
is a permissioned function called by a whitelisted admin (via the policy).
Hi @0xJem, to me the watsons highlighted a valid point that can break core functionality of removeAsset
as long as locations.length is greater than 1, which would constitute medium severity. I think it is intended that there will be more than one location for an asset, unless I am missing something. Open to hearing your opinion.
Escalate
Agree with sponsor that this should be low. Although removeAsset won't work and that is inconvenient. Admin can easily remove each location prior using removeAssetLocation() then calling removeAsset after.
Escalate
Agree with sponsor that this should be low. Although removeAsset won't work and that is inconvenient. Admin can easily remove each location prior using removeAssetLocation() then calling removeAsset after.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with @IAm0x52, should be invalid.
Agree with @IAm0x52, should be invalid.
Although it is possible to pre-remove locations before calling the removeAsset
function, it should be noted that administration will most likely take place through voting on the proposal. https://docs.olympusdao.finance/main/technical/overview/#ownership-model-the-executor
Thus, after an unsuccessful call to the removeAsset
function, a vote will be required to remove the locations. I cannot agree that this is a simple inconvenience, because there is a lot more work to be done than just calling one additional function.
This is solely my assumption, since all module management processes are carried out through the kernel, and this is outside the scope of this contest.
Fix looks good. Solidity already clears this by default. Confirmed with a new test
I agree, this is a low severity issue. Planning to accept the escalation.
Result: Low Has duplicates
bin2chen
medium
removeAsset() when locations.length>1 will revert
Summary
In
removeAsset()
, the implementation of deletinglocations
is incorrect. Iflocations.length > 1
, it will revertout-of-bounds
.Vulnerability Detail
In
removeAsset()
, deletingasset
will clearlocations
. The code is as follows:The above code loops
pop()
, the size of the array will become smaller and smaller but it always usesasset.locations[len - 1]
, which will causeout-of-bounds
.POC
add to
TRSRY.v1_1.t.sol
Impact
when
locations.length>1
unable to properly deleteasset
.Code Snippet
https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/TRSRY/OlympusTreasury.sol#L470-L477
Tool used
Manual Review
Recommendation