Platform: Code4rena
Start Date: 05/05/2022
Pot Size: $125,000 DAI
Total HM: 17
Participants: 62
Period: 14 days
Judge: leastwood
Total Solo HM: 15
Id: 120
League: ETH
Rank: 47/62
Findings: 1
Award: $179.97
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xkatana, 0xsomeone, AuditsAreUS, BouSalman, BowTiedWardens, Cityscape, Funen, GimelSec, Hawkeye, JC, MaratCerby, MiloTruck, Picodes, Ruhum, TerrierLover, WatchPug, Waze, bobirichman, catchup, cccz, cryptphi, csanuragjain, delfin454000, ellahi, fatherOfBlocks, hake, horsefacts, hyh, jayjonah8, joestakey, kebabsec, kenta, mics, oyc_109, robee, samruna, shenwilly, sikorico, simon135, throttle, tintin
179.9731 DAI - $179.97
Lack of two-step procedure for critical operations leaves them error-prone if the address is incorrect, the new address will take on the functionality of the new role immediately
for Ex : -Alice deploys a new version of the whitehack group address. When she invokes the whitehack group address setter to replace the address, she accidentally enters the wrong address. The new address now has access to the role immediately and is too late to revert
Affected functions: gALCX.transferOwnership()
Manual review
use a two-step procedure for all non-recoverable critical operations to prevent irrecoverable mistakes.
EthAssetManager.setOperator() EthAssetManager.setRewardReceiver() EthAssetManager.setTransmuterBuffer() AlchemicTokenV2Base.mint() - recipient param AlchemicTokenV1.mint() - recipient param
Manual review
Consider adding zero address check
Functions affected:
AutoleverageBase.approve()
AutoleverageCurveMetapool._curveSwap()
WETHGateWay.refreshAllowance()
##Tools Used Manual review
Use safe approve or check the boolean result