The rebalance function within the smart contract is designed to manage the strategic operations of a vault, including potentially sensitive actions such as withdrawing funds and pausing the contract. I've identified a significant issue concerning the permissions granted to the role of the executor, specifically after a change in the contract's management.
Vulnerability Detail
The current contract implementation allows the executor, who is authorized to initiate rebalances, potentially to retain operational capabilities even after there has been a change in management. This oversight could permit outdated executors to execute actions that should be restricted to current, authorized personnel only, leading to unauthorized access and control over critical functions.
Impact
If executors retain their roles post-management change, they could potentially execute unauthorized actions such as withdrawing funds or pausing the contract, which may not align with the new management's strategies or intentions.
Establish a dynamic role management system that automatically updates executor permissions concurrent with any changes in management. This should involve revoking existing permissions and reassigning them as necessary to align with the new management structure.
0xrobsol
high
Inadequate Role Management for Contract Executors
Summary
The rebalance function within the smart contract is designed to manage the strategic operations of a vault, including potentially sensitive actions such as withdrawing funds and pausing the contract. I've identified a significant issue concerning the permissions granted to the role of the executor, specifically after a change in the contract's management.
Vulnerability Detail
The current contract implementation allows the executor, who is authorized to initiate rebalances, potentially to retain operational capabilities even after there has been a change in management. This oversight could permit outdated executors to execute actions that should be restricted to current, authorized personnel only, leading to unauthorized access and control over critical functions.
Impact
If executors retain their roles post-management change, they could potentially execute unauthorized actions such as withdrawing funds or pausing the contract, which may not align with the new management's strategies or intentions.
Code Snippet
https://github.com/sherlock-audit/2024-03-arrakis/blob/main/arrakis-modular/src/ArrakisStandardManager.sol#L364-L379
Tool used
Manual Review
Recommendation
Establish a dynamic role management system that automatically updates executor permissions concurrent with any changes in management. This should involve revoking existing permissions and reassigning them as necessary to align with the new management structure.