Description

In the BlackwingVault contract, the updateDeployer() function is responsible for modifying the deployer. It lacks a check that a pool is registered.

Impact

The pool of assets may not be registered at the time of the change. Currently, this does not pose an issue as all functions in the vault verify that the asset is registered within the pool. However, considering the upgradability of the contract and the potential addition of more functions, this could become a concern depending on the nature of future implementations.

Recommendations

We suggest implementing a check to verify the existence of the pool. This precautionary measure would prevent the protocol from setting the deployer on a pool that does not exist, adding an extra layer of security to the system.

function updateDeployer(IERC20 asset, IDeployer deployer) public {
  require(hasRole(OWNER_ROLE, msg.sender), UNAUTHORIZED_ERR);
+ requireAssetRegistered(asset);
  pools[asset].deployer = deployer;
}

Remediation

This issue has been acknowledged by Ferum Labs, and a fix was implemented in commit d7158213↗.

The team added requireAssetRegistered(asset) for checking the pool.