sherlock-admin4
commented
5 months ago 1 comment(s) were left on this issue during the judging contest.
z3s commented:
Invalid; No attack showed.
Closed sherlock-admin2 closed 5 months ago
sherlock-admin4
commented
5 months ago 1 comment(s) were left on this issue during the judging contest.
z3s commented:
Invalid; No attack showed.
odhismanuel
medium
Lack of validation when updating system Configurations
Summary
_vaultUpdate(account, vault, depositAssets, redeemShares, claimAssets, wrap. The code snippet doesn't directly handle the snippet configuration updates. Thus is somehow difficult to say there is a lack of validation based on limited codes.
Vulnerability Detail
Attacker may manipulate the system configuration without proper validation, they could potentially exploit the function and steal user's funds. E.g he might inflate the vault fees or manipulate conversion rates to their advantage.
Impact
An attacker could manipulate the vault parameters by inflating vault fees, modifying interest rates and altering conversion rates.
Code Snippet
https://github.com/sherlock-audit/2024-05-kwenta-x-perennial-integration-update/blob/main/perennial-v2/packages/perennial-extensions/contracts/MultiInvoker.sol#L161
Tool used
No Manual Review Yes
Recommendation
Implement a mechanism to review and monitor all system configuration updates. It could involves recording history of changes with timestamp and reasons for updates.