Description

As shown below, ManagementAccount::requestCreditMode directly updates _creditService and _creditCollateralToken instead of their pending counterparts:

function requestCreditMode(address service, address collateralToken) external onlyOwner {
    [...]
!   _creditService = service;
!   _creditCollateralToken = collateralToken;
    [...]
}

This bypasses the timelock mechanism. The intended flow requires mode changes to be queued in pending state first then applied only after the cooldown period when executeModeChange() is called.

Impact

Users can change credit modes instantly without the required cooldown period, bypassing the timelock mechanism entirely. This eliminates the security window intended to allow operators to review mode changes and take protective actions before they become active.

Recommendations

Update requestCreditMode to set pending state variables:

function requestCreditMode(address service, address collateralToken) external onlyOwner {
     [...]
-    _creditService = service;
-    _creditCollateralToken = collateralToken;
+    _pendingCreditService = service;
+    _pendingCreditCollateralToken = collateralToken;
     [...]
 }

Remediation

This issue has been acknowledged by Hyperbeat, and a fix was implemented in commit 73c583a8↗.