search

sherlock-audit / 2023-11-olympus-judging

9 stars 8 forks source link

hash - No way to updated added/removed categories in metrics #188

Closed sherlock-admin2 closed 11 months ago

sherlock-admin2 commented 11 months ago

hash

medium

No way to updated added/removed categories in metrics

Summary

No way to updated added/removed categories in metrics

Vulnerability Detail

The Treasury has the ability to add and remove categories.

    function addCategory(
        Category category_,
        bool useSubmodules_,
        bytes4 submoduleMetricSelector_,
        bytes4 submoduleReservesSelector_
    ) external override permissioned {
        _addCategory(
            category_,
            useSubmodules_,
            submoduleMetricSelector_,
            submoduleReservesSelector_
        );
    }

All the metric value computations contain hardcoded categories Eg:

    function _circulatingSupply() internal view returns (uint256) {
        uint256 treasuryOhm = _getSupplyByCategory(toCategory("protocol-owned-treasury"));
        uint256 daoOhm = _getSupplyByCategory(toCategory("dao"));
        uint256 totalOhm = _totalSupply();

        return totalOhm - treasuryOhm - daoOhm;
    }

Hence there is no way to reflect these updated categories in the metric calculation. Some of these metrics(such as BACKED_SUPPLY) are used to make important decisions like adjusting the backing of categories.

Impact

Newly added categories won't be included in the metric calculation and if any of the hardcoded categories gets removed the metric calculation will revert.

Code Snippet

ability to add new category https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/SPPLY/OlympusSupply.sol#L100-L112

hardcoded categories in all metric calculations https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/SPPLY/OlympusSupply.sol#L640-L758

Tool used

Manual Review

Recommendation

Maintain an array for each metric which allows categories to be added and removed.

sherlock-admin2 commented 11 months ago

1 comment(s) were left on this issue during the judging contest.

nirohgo commented:

Invalid because if a major change is needed for supply metrics a new version of the supply module can be deployed

nevillehuang commented 10 months ago

Invalid, all the hardcoded categories are correctly assumed. All other categories subsequently added can have their OHM supply retrieved via functions here