0brxce - requireProposerOrAcceptor name differs from implementation #237
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Sponsor Disputed
The sponsor disputed this issue's validity
Comments
sherlock-admin4
changed the title
Steth::transferfrom will transfer 1-2 wei less which will result in reverting of consequent functions because of not enough balance.
sherlock-admin3
added
the
Sponsor Disputed
github-actions
bot
changed the title
github-actions
bot
added
the
Excluded
sherlock-admin3
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
0brxce
High
requireProposerOrAcceptor name differs from implementation
Summary
In the Admin Proxy contract, the requireProposerOrAcceptor modifier expects the caller to have the proposer role or acceptor role but the code implementation requires them to have both
Vulnerability Detail
The following functions have the requireProposerOrAcceptor modifier: proposeBaseImplementation, propose. If a caller doesn't have both roles the function call will fail.
Impact
The admin proxy will be unable to propose new base implementations or create new proposals
Code Snippet
requireProposerOrAcceptor Modifier
https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/security/AdminProxy.sol#L42-L46
Modifier in use for proposeBaseImplementation and propose
https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/security/AdminProxy.sol#L103-L113
https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/security/AdminProxy.sol#L116-L125
Tool used
Manual Review
Recommendation
Use || instead of && in the conditional line for the requireProposerOrAcceptor modifier
Change the name to requireProposerAndModifier
The text was updated successfully, but these errors were encountered: