Lines of code
<https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/ArcadeTreasury.sol#L308>
setThreshold can bypass the cool down period in setGSCAllowance and decrease the gscAllowance[token].
In setGSCAllowance, we add a cool-down period of 7 days for the admin to set a new allowance to gscAllowance[token] (either increase or decrease):
function setGSCAllowance(address token, uint256 newAllowance) external onlyRole(ADMIN_ROLE) {
if (token == address(0)) revert T_ZeroAddress("token");
if (newAllowance == 0) revert T_ZeroAmount();
// enforce cool down period
if (uint48(block.timestamp) < lastAllowanceSet[token] + SET_ALLOWANCE_COOL_DOWN) {
revert T_CoolDownPeriod(block.timestamp, lastAllowanceSet[token] + SET_ALLOWANCE_COOL_DOWN);
}
However, if the admin calls setThreshold() directly and make thresholds.small < gscAllowance[token], the update in gscAllowance[token] will be in effect immediately, making the cool-time period useless:
function setThreshold(address token, SpendThreshold memory thresholds) external onlyRole(ADMIN_ROLE) {
// verify that the token is not the zero address
if (token == address(0)) revert T_ZeroAddress("token");
// verify small threshold is not zero
if (thresholds.small == 0) revert T_ZeroAmount();
// verify thresholds are ascending from small to large
if (thresholds.large < thresholds.medium || thresholds.medium < thresholds.small) {
revert T_ThresholdsNotAscending();
}
// if gscAllowance is greater than new small threshold, set it to the new small threshold
if (thresholds.small < gscAllowance[token]) {
gscAllowance[token] = thresholds.small;
emit GSCAllowanceUpdated(token, thresholds.small);
}
Manual Review.
Only apply the cool-time period for increasing gscAllowance, or also add cool-time period in setThreshold().
Context
The text was updated successfully, but these errors were encountered:
All reactions