Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a timelock to PooledCreditLine.updateProtocolFeeFraction() #50

Closed
code423n4 opened this issue Mar 31, 2022 · 2 comments
Closed

Add a timelock to PooledCreditLine.updateProtocolFeeFraction() #50

code423n4 opened this issue Mar 31, 2022 · 2 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/sublime-finance/sublime-v1/blob/46536a6d25df4264c1b217bd3232af30355dcb95/contracts/PooledCreditLine/PooledCreditLine.sol#L524

Vulnerability details

Impact

It is a good practice to give time for users to react and adjust to critical changes. A timelock provides more guarantees and reduces the level of trust required, thus decreasing risk for users. It also indicates that the project is legitimate.

Here, no timelock capabilities seem to be used

I believe this impacts multiple users enough to make them want to react / be notified ahead of time.

Recommended Mitigation Steps

Consider adding a timelock to PooledCreditLine.updateProtocolFeeFraction()

@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 31, 2022
code423n4 added a commit that referenced this issue Mar 31, 2022
@ritik99 ritik99 added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Apr 12, 2022
@ritik99
Copy link
Collaborator

ritik99 commented Apr 12, 2022

This is a valid suggestion. Given assets are not at direct/indirect risk, and the assumption that the admin is a trusted actor (as mentioned in the contest readme), we would suggest reducing the severity to (1) Low-risk

@HardlyDifficult
Copy link
Collaborator

Grouping with the warden's QA report, #33

@HardlyDifficult HardlyDifficult added the duplicate This issue or pull request already exists label May 2, 2022
@JeeberC4 JeeberC4 added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels May 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Development

No branches or pull requests

4 participants