search

sherlock-audit / 2024-03-arrakis-judging

0 stars 0 forks source link

ValantisModule::setPriceBounds Missing whenNotPaused modifier #96

Closed sherlock-admin3 closed 1 month ago

sherlock-admin3 commented 1 month ago

ValantisModule::setPriceBounds Missing whenNotPaused modifier

Low/Info issue submitted by cergyk

Summary

ValantisModule::setPriceBounds is a sensitive function used to set range on Valantis AMM. It shouldn’t be allowed to be used when the protocol is paused and should have the whenNotPaused modifier.

Vulnerability Detail

ValantisModule::setPriceBounds is a sensitive function used to set the price range on the Valantis AMM: ValantisHOTModule.sol#L296-L315.

This function is critical as it directly influences the AMM's behavior, and as can be seen in other issues (see issue “Malicious executor can brick vault withdrawals for at least 2 days”), it can be used to harm the vaults.

Allowing it to be callable when the protocol is paused could lead to unintended consequences or exploits during a paused state. Hence, it shouldn’t be allowed to be used when the protocol is paused and should have the whenNotPaused modifier to ensure it is only callable when the protocol is active.

Impact

The absence of the whenNotPaused modifier on this sensitive function could allow malicious actions from the executor.

Code Snippet

Tool used

Manual Review

Recommendation

Add the whenNotPaused modifier to the setPriceBounds function to ensure it cannot be called when the protocol is paused: ValantisHOTModule.sol#L303

    function setPriceBounds(
        uint160 sqrtPriceLowX96_,
        uint160 sqrtPriceHighX96_,
        uint160 expectedSqrtSpotPriceUpperX96_,
        uint160 expectedSqrtSpotPriceLowerX96_
-   ) external onlyManager {
+   ) external whenNotPaused onlyManager {
...