Hidden governance #11
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-02-hubble/blob/8c157f519bc32e552f8cc832ecc75dc381faa91e/contracts/VUSD.sol#L11
Vulnerability details
Impact
The contract use two governance model, one looks hidden.
Proof of Concept
The VUSD contract uses
VanillaGovernable
but inherits fromERC20PresetMinterPauserUpgradeable
and this contract uses roles to use some administrative methods likepause
ormint
.This two-governance model does not seem necessary and can hide or raise suspicion about a rogue pool, thus damaging the user's trust.
Recommended Mitigation Steps
Unify governance in only one, VanillaGovernable or role based.
The text was updated successfully, but these errors were encountered: