NoOne - Incorrect Access Control in `setMaxOracleDeviationBips` Function

[sherlock-admin3]

NoOne

medium

Incorrect Access Control in setMaxOracleDeviationBips Function

Summary

The setMaxOracleDeviationBips function in the contract is intended to set the maximum allowed deviation between AMM and oracle price. However, the function is currently protected by the onlyManager modifier instead of the onlyLiquidityProvider modifier, as suggested by the comments. This incorrect access control allows unauthorized entities to call the function, potentially leading to incorrect settings and manipulation of the oracle deviation bounds.

Vulnerability Detail

The function is intended to be callable only by the liquidityProvider as indicated by the comments. However, it is currently protected by the onlyManager modifier. This misalignment in access control can lead to unauthorized access, allowing entities other than the liquidityProvider to modify critical parameters, potentially leading to incorrect oracle deviation settings.

Impact

Unauthorized Access: The function can be called by any entity with onlyManager privileges, rather than being restricted to the liquidityProvider. Incorrect Settings: Unauthorized changes to the oracle deviation bounds can result in incorrect price deviations being used, potentially leading to financial discrepancies and market manipulation. Security Risk: Incorrect access control can expose the contract to security risks, allowing unauthorized entities to manipulate critical parameters.

Code Snippet

function setMaxOracleDeviationBips

Tool used

Manual Review

Recommendation

To resolve this issue, replace the onlyManager modifier with the onlyLiquidityProvider modifier to ensure that only the liquidityProvider can call this function. This aligns with the intended access control specified in the comments and documentation.

[Jelev123]

Escalate I identified an issue in the setMaxOracleDeviationBips function related to its access control. The function's documentation specifies that it should only be callable by the liquidityProvider, but the implementation uses the onlyManager modifier instead. Why the issue is excluded

[sherlock-admin3]

Escalate I identified an issue in the setMaxOracleDeviationBips function related to its access control. The function's documentation specifies that it should only be callable by the liquidityProvider, but the implementation uses the onlyManager modifier instead. Why the issue is excluded

The escalation could not be created because you are not exceeding the escalation threshold.

You can view the required number of additional valid issues/judging contest payouts in your Profile page, in the Sherlock webapp.

[sherlock-admin3]

Escalate Valid mid or bad function nat spec(I believe its the first one), ether way it is something that should be fixed!

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[0xjuaan]

sponsor confirmed that the natspec is wrong but the code is correct

[WangSecurity]

@0xjuaan @Jelev123 was the escalation comment deleted or why is it missing?

[0xjuaan]

no idea

[Jelev123]

I have no idea, I'm not, and neither is the person who made the escalatе

[WangSecurity]

Then, planning to reject the escalation since both roles are trusted and it's confirmed that code comments are outdated.

[WangSecurity]

Result: Invalid Unique

[sherlock-admin2]

Escalations have been resolved successfully!

Escalation status:

• MihailNikolov04: rejected