Blocking of Default Vault Implementation in changeImplementationForVault Function #8
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-a
insufficient quality report
This report is not of sufficient quality
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_primary
AI based primary recommendation
🤖_02_group
AI based duplicate group recommendation
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/Core.sol#L183
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/CoreLib.sol#L157
https://github.com/code-423n4/2024-07-karak/blob/f5e52fdcb4c20c4318d532a9f08f7876e9afb321/src/entities/CoreLib.sol#L118
Vulnerability details
Vulnerability Details:
The changeImplementationForVault function allows the owner to change the implementation of a specific vault. The only two requirements are that the newVaultImpl must be an allowlisted implementation, and the previous vault cannot be the zero address.
The isVaultImplAllowlisted function checks the implementation against the allowlistedVaultImpl mapping and the current default vault implementation, which is self.vaultImpl. If the new implementation is neither of these, it returns false, causing the changeImplementationForVault function to revert.
The problem is that this implementation blocks the changeImplementationForVault function from setting the implementation to the default DEFAULT_VAULT_IMPLEMENTATION_FLAG. As seen in the deployVaults function, this is a valid implementation and allows changing all standard vaults to a new implementation.
Therefore, if the protocol wants to change a vault's implementation to the default vault implementation, it cannot do so and would have to manually update it every time the default is changed.
Impact:
The current implementation restricts the ability to update vaults to the default vault implementation using the changeImplementationForVault function. This requires manual updates to each vault whenever the default implementation is changed.
Tools Used:
Recommendation:
Modify the changeImplementationForVault function to allow it to set the new implementation to the default vault implementation flag.
Assessed type
Other
The text was updated successfully, but these errors were encountered: