Description

The authority can create a set with a specified name and then add MetaVesTs to the set. If a MetaVesT is in a set, any changes to its details (e.g. transferability) need to be voted on by the grantees of the MetaVesTs within the same set. The array setNames records created sets' names, while sets records MetaVesTs' addresses in each set.

The function removeSet only removes _name from the array setNames. After removal, although _name is no longer in setNames, sets[_name] may not be empty.

function removeSet(string memory _name) external onlyAuthority {
    for (uint256 i; i < setNames.length; ++i) {
        if (keccak256(bytes(setNames[i])) == keccak256(bytes(_name))) {
            setNames[i] = setNames[setNames.length - 1];
            setNames.pop();
            emit MetaVesTController_SetRemoved(_name);
            return;
        }
    }
}

If a set with name _name does not exist and sets[_name] is not empty, the set can neither be created nor cleared.

function createSet(string memory _name) external onlyAuthority {
    //check if name does not already exist
!   if (sets[_name].length != 0) revert MetaVesTController_SetAlreadyExists();
    // [...]
}

function removeMetaVestFromSet(string memory _name, address _metaVest) external onlyAuthority {
!   if(!doesSetExist(_name)) revert MetaVesTController_SetDoesNotExist();
    // [...]
}

Impact

If a set is not empty after removal, the authority cannot recreate a set with the same name.

Recommendations

Consider emptying the sets[_name] or checking if sets[_name] is empty before removing a set.

Remediation

This issue has been acknowledged by MetaLeX Labs, Inc, and a fix was implemented in commit e6b9d7a5↗.