No check that pool[asset]
is registered
Description
In the BlackwingVault contract, the updateDeployer()
function is responsible for modifying the deployer. It lacks a check that a pool is registered.
Impact
The pool of assets may not be registered at the time of the change. Currently, this does not pose an issue as all functions in the vault verify that the asset is registered within the pool. However, considering the upgradability of the contract and the potential addition of more functions, this could become a concern depending on the nature of future implementations.
Recommendations
We suggest implementing a check to verify the existence of the pool. This precautionary measure would prevent the protocol from setting the deployer
on a pool that does not exist, adding an extra layer of security to the system.
function updateDeployer(IERC20 asset, IDeployer deployer) public {
require(hasRole(OWNER_ROLE, msg.sender), UNAUTHORIZED_ERR);
+ requireAssetRegistered(asset);
pools[asset].deployer = deployer;
}
Remediation
This issue has been acknowledged by Ferum Labs, and a fix was implemented in commit d7158213↗.
The team added requireAssetRegistered(asset)
for checking the pool.