Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-07-ARCADE-FINDINGS-ISSUES-527
HistoryJul 28, 2023 - 12:00 a.m.

setThreshold can bypass cool down period in setGSCAllowance

2023-07-2800:00:00
Code4rena
github.com
2
vulnerability
impact
proofofconcept
setgscallowance
setthreshold
cooldown
mitigation
assessment
JSON

Lines of code
<https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/ArcadeTreasury.sol#L308&gt;

Vulnerability details

Impact

setThreshold can bypass the cool down period in setGSCAllowance and decrease the gscAllowance[token].

Proof of Concept

In setGSCAllowance, we add a cool-down period of 7 days for the admin to set a new allowance to gscAllowance[token] (either increase or decrease):

    function setGSCAllowance(address token, uint256 newAllowance) external onlyRole(ADMIN_ROLE) {
        if (token == address(0)) revert T_ZeroAddress("token");
        if (newAllowance == 0) revert T_ZeroAmount();

        // enforce cool down period
        if (uint48(block.timestamp) &lt; lastAllowanceSet[token] + SET_ALLOWANCE_COOL_DOWN) {
            revert T_CoolDownPeriod(block.timestamp, lastAllowanceSet[token] + SET_ALLOWANCE_COOL_DOWN);
        }

However, if the admin calls setThreshold() directly and make thresholds.small < gscAllowance[token], the update in gscAllowance[token] will be in effect immediately, making the cool-time period useless:

    function setThreshold(address token, SpendThreshold memory thresholds) external onlyRole(ADMIN_ROLE) {
        // verify that the token is not the zero address
        if (token == address(0)) revert T_ZeroAddress("token");
        // verify small threshold is not zero
        if (thresholds.small == 0) revert T_ZeroAmount();

        // verify thresholds are ascending from small to large
        if (thresholds.large &lt; thresholds.medium || thresholds.medium &lt; thresholds.small) {
            revert T_ThresholdsNotAscending();
        }

        // if gscAllowance is greater than new small threshold, set it to the new small threshold
        if (thresholds.small &lt; gscAllowance[token]) {
            gscAllowance[token] = thresholds.small;

            emit GSCAllowanceUpdated(token, thresholds.small);
        }

Tools Used

Manual Review.

Recommended Mitigation Steps

Only apply the cool-time period for increasing gscAllowance, or also add cool-time period in setThreshold().

Assessed type

Context

The text was updated successfully, but these errors were encountered:

All reactions

JSON