Category: Coding Mistakes
Incorrect access control of setVaultManager
causes update lockout
Low Severity
Low Impact
High Likelihood
Description
The setVaultManager
function is used in VeTranche to update the address of the vault manager contract:
function setVaultManager(address _vaultManager) external onlyManager {
require(_vaultManager != address(0), "ADDRESS_INVALID");
vaultManager = IVaultManager(_vaultManager);
}
This function is onlyManager
, so it can only be called by the vault manager. However, the current version of the vault manager contract never calls this function.
Impact
The vault manager cannot be updated.
Recommendations
Change this to onlyGov
.
Remediation
This issue has been acknowledged by Avantis Labs, Inc., and a fix was implemented in commit af954df9↗.