Platform: Code4rena
Start Date: 27/05/2022
Pot Size: $75,000 USDC
Total HM: 20
Participants: 58
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 15
Id: 131
League: ETH
Rank: 46/58
Findings: 1
Award: $119.82
π Selected for report: 0
π Solo Findings: 0
π Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0xNazgul, 0xf15ers, BowTiedWardens, Chom, Funen, Kaiziron, Kumpa, MiloTruck, Picodes, Ruhum, SecureZeroX, Sm4rty, SmartSek, StyxRave, WatchPug, Waze, asutorufos, bardamu, berndartmueller, c3phas, catchup, cccz, codexploder, cryptphi, defsec, delfin454000, dipp, fatherOfBlocks, gzeon, hake, hansfriese, hyh, masterchief, oyc_109, sach1r0, sashik_eth, shenwilly, simon135, unforgiven
119.8232 USDC - $119.82
https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/InflationManager.sol#L145-L155 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/InflationManager.sol#L236-L249 https://github.com/code-423n4/2022-05-backd/blob/main/protocol/contracts/tokenomics/InflationManager.sol#L321-L330
Several actions need to be prepared and go through a time-lock before they can be executed. InflationManager allows anyone to call the single action execute function but requires onlyRoles2(Roles.GOVERNANCE, Roles.INFLATION_MANAGER) for the batched versions. This looks like an oversight since the same access control level should be enforced.
For example, the executeLpPoolWeight function allows anyone to call it:
function executeLpPoolWeight(address lpToken) external override returns (uint256) { (...) }
But the batched version enforces the caller to have GOVERNANCE or INFLATION_MANAGER roles:
function batchExecuteLpPoolWeights(address[] calldata lpTokens) external override onlyRoles2(Roles.GOVERNANCE, Roles.INFLATION_MANAGER) returns (bool) {
The same happens in executeAmmTokenWeight versus batchExecuteAmmTokenWeights , as well as executeKeeperPoolWeight versus batchExecuteKeeperPoolWeights.
If only trusted roles should be able to execute pending actions then the onlyRoles modifier should be added to the non-batched functions.
Scenarios where you would not want to allow anyone to execute could include potential votes/changes that may trigger a bug or undesired behavior noticed after it had already been approved.
vim
Enforce the proper access control mechanism in non-batched execute functions.
#0 - danhper
2022-06-06T15:32:25Z
The access control should actually be removed from batchExecuteKeeperPoolWeights rather than added to executeKeeperPoolWeight, so this is rather QA severity
#1 - GalloDaSballo
2022-06-19T21:14:36Z
My immediate reply would have been for the finding to be invalid, however, per the sponsor reply, we can leave as valid at QA severity as indeed there's an incongruence between access controls