search

sherlock-audit / 2024-06-velocimeter-judging

11 stars 7 forks source link

High Holographic Tortoise - Gauge can be updated by unintended users #716

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 4 months ago

High Holographic Tortoise

Low/Info

Gauge can be updated by unintended users

Summary

The updateGauge function currently allows any user to update the gauge address, and this is a security risk. This function should only be access-controlled to prevent unauthorized users from making updates that could disrupt the protocol.

Referenced lInks

https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/OptionTokenV4.sol#L413-L416

Vulnerability Detail

The updateGauge function can be called by anyone, which allows arbitrary users to update the gauge address. This could result in unintended updates to the gauge, especially in situations where the protocol has not decided to update the gauge to match the new voter contract.

Impact

This could lead to significant disruptions in the protocol’s operation. It could cause mismatches between the expected and actual gauge addresses, potentially leading to financial losses or operational issues within the protocol.

Code Snippet

/// @notice Update gauge address to match with Voter contract
function updateGauge() external { 
    address newGauge = IVoter(voter).gauges(address(pair));
    gauge = newGauge;
    emit SetGauge(newGauge);
}

Tool Used

Manual Review

Recommendation

Introduce access control to the updateGauge function, ensuring that only authorized users (e.g., admin or governance) can call it. This can be achieved using modifiers like onlyOwner or onlyAdmin.

function updateGauge() external onlyOwner {
    address newGauge = IVoter(voter).gauges(address(pair));
    gauge = newGauge;
    emit SetGauge(newGauge);
}