Lines of code
<https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L108-L109>
Any fees or funds sent to the treasury could potentially be stolen or manipulated
The treasury address can be updated by the contract owner to point to a malicious address after deployment. This presents a risk as the treasury receives all the deposit fees
The setTreasury function allows the contract owner to update the treasury address. There are no restrictions on what address can be set.
A proof of concept exploit would be:
Manual
setTreasury could require a timelock so there is a delay between updating the address and when it takes effect
Other
The text was updated successfully, but these errors were encountered:
All reactions