RebalanceManager.sol#setRebalanceManager()
should implement two-step transfer pattern
#226
Labels
0 (Non-critical)
Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation
bug
Something isn't working
Handle
WatchPug
Vulnerability details
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/callManagers/RebalanceManager.sol#L57-L63
RebalanceManager.rebalanceManager
is a critical role, if the current rebalanceManager mistakenly callssetRebalanceManager()
with a wrong address, it can result in all theonlyRebalanceManager()
methods being unaccessible, and it cannot be undo.Recomandation
Consider changing the
setRebalanceManager()
function to first nominate an address as the pending rebalanceManager and adding anacceptRebalanceManager()
function which is called by the pending rebalanceManager to confirm the transfer.Also in:
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/callManagers/RebalanceManagerV2.sol#L43-L49
https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/callManagers/RebalanceManagerV3.sol#L48-L54
The text was updated successfully, but these errors were encountered: