Open sherlock-admin2 opened 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
the natspec says "callable only by the owner", which means the rebalancer role should be both owner and rebalancer which makes this invalid
Low. That was the initial intention. However, we'll fix it.
The protocol team fixed this issue in PR/commit https://github.com/Tapioca-DAO/TapiocaZ/pull/179.
@cryptotechmaker Why was this the initial intention? I am inclined to keep medium severity given a direct code change was made to unblock DoS.
hyh
medium
Balancer rebalance operation is permanently blocked whenever owner assigns
rebalancer
role to some other addressSummary
Balancer's
rebalance()
controls access rights by requestingmsg.sender
to simultaneously be owner andrebalancer
, which blocks it whenever this role is assigned to any other address besides owner's (that should be the case for production use).Vulnerability Detail
Balancer's core operation can be blocked due to structuring of the access control check, which requires
msg.sender
to have both roles instead of either one of them.Impact
Rebalancing, which is core functionality for mTOFT workflow, becomes inaccessible once owner transfers the
rebalancer
role elsewhere. To unblock the functionality the role has to be returned to the owner address and kept there, so rebalancing will have to be performed only directly from owner, which brings in operational risks as keeper operations will have to be run from owner account permanently, which can be compromised with higher probability this way.Also, there is an impact of having
rebalancer
role set to a keeper bot and being unable to perform the rebalancing for a while until protocol will have role reassigned and the scripts run from owner account. This additional time needed can be crucial for user operations and in some situations lead to loss of funds.Likelihood: Low + Impact: High = Severity: Medium.
Code Snippet
Initially
owner
andrebalancer
are set to the same address:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/Balancer.sol#L101-L110
Owner can then transfer
rebalancer
role to some other address, e.g. some keeper contract:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/Balancer.sol#L142-L149
Once owner transfers
rebalancer
role to anyone else, it will be impossible to rebalance as it's always(msg.sender != owner() || msg.sender != rebalancer) == true
:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/Balancer.sol#L160-L176
Tool used
Manual Review
Recommendation
Consider updating the access control to allow either owner or
rebalancer
, e.g.:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/Balancer.sol#L169-L176