ValantisModule::setPriceBounds is a sensitive function used to set range on Valantis AMM. It shouldn’t be allowed to be used when the protocol is paused and should have the whenNotPaused modifier.
Vulnerability Detail
ValantisModule::setPriceBounds is a sensitive function used to set the price range on the Valantis AMM: ValantisHOTModule.sol#L296-L315.
This function is critical as it directly influences the AMM's behavior, and as can be seen in other issues (see issue “Malicious executor can brick vault withdrawals for at least 2 days”), it can be used to harm the vaults.
Allowing it to be callable when the protocol is paused could lead to unintended consequences or exploits during a paused state. Hence, it shouldn’t be allowed to be used when the protocol is paused and should have the whenNotPaused modifier to ensure it is only callable when the protocol is active.
Impact
The absence of the whenNotPaused modifier on this sensitive function could allow malicious actions from the executor.
ValantisModule::setPriceBounds Missing whenNotPaused modifier
Low/Info issue submitted by cergyk
Summary
ValantisModule::setPriceBounds
is a sensitive function used to set range on Valantis AMM. It shouldn’t be allowed to be used when the protocol is paused and should have thewhenNotPaused
modifier.Vulnerability Detail
ValantisModule::setPriceBounds
is a sensitive function used to set the price range on the Valantis AMM: ValantisHOTModule.sol#L296-L315.This function is critical as it directly influences the AMM's behavior, and as can be seen in other issues (see issue “Malicious executor can brick vault withdrawals for at least 2 days”), it can be used to harm the vaults.
Allowing it to be callable when the protocol is paused could lead to unintended consequences or exploits during a paused state. Hence, it shouldn’t be allowed to be used when the protocol is paused and should have the
whenNotPaused
modifier to ensure it is only callable when the protocol is active.Impact
The absence of the
whenNotPaused
modifier on this sensitive function could allow malicious actions from the executor.Code Snippet
Tool used
Manual Review
Recommendation
Add the
whenNotPaused
modifier to thesetPriceBounds
function to ensure it cannot be called when the protocol is paused: ValantisHOTModule.sol#L303