Assessment reports>Avantis>Low findings>Incorrect access control of ,setVaultManager, causes update lockout
Category: Coding Mistakes

Incorrect access control of setVaultManager causes update lockout

Low Severity
Low Impact
High Likelihood

Description

The setVaultManager function is used in VeTranche to update the address of the vault manager contract:

function setVaultManager(address _vaultManager) external onlyManager {
    require(_vaultManager != address(0), "ADDRESS_INVALID");
    vaultManager = IVaultManager(_vaultManager);
}

This function is onlyManager, so it can only be called by the vault manager. However, the current version of the vault manager contract never calls this function.

Impact

The vault manager cannot be updated.

Recommendations

Change this to onlyGov.

Remediation

This issue has been acknowledged by Avantis Labs, Inc., and a fix was implemented in commit af954df9.

Zellic © 2025Back to top ↑