Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Wasabi>High findings>Pool toggling functionality may allow factory owner to lock exercising of options
GeneralOverview
Findings
High (4)Iteration over options can prevent withdrawsFee manager upgrades allow factory owner to change fees and prevent option exerciseFactory update logic of option NFT enables owner to steal fundsPool toggling functionality may allow factory owner to lock exercising of options
Medium (3)
DiscussionAbstractWasabiPool should use upgradable variants of OpenZeppelin contractsPut options operate on entire collectionsPools require well-behaved NFTs
Threat ModelsWhat are threat models?AbstractWasabiPool.solWasabiOptionWasabiPoolFactory.sol
Audit ResultsSummary
Category: Business Logic

Pool toggling functionality may allow factory owner to lock exercising of options

High Severity
Low Impact
Low Likelihood

Description

The WasabiFactory contract allows its owner to toggle pools.

function togglePool(address _poolAddress, bool _enabled) external onlyOwner {
    require(poolAddresses[_poolAddress] != _enabled, 'Pool already in same state');
    poolAddresses[_poolAddress] = _enabled;
}

This prevents them from burning options:

function burnOption(uint256 _optionId) external {
    require(poolAddresses[msg.sender], "Only enabled pools can burn options");
    options.burn(_optionId);
}

Impact

When pools are disabled, the existing options associated with those pools become unexercisable. This effectively allows the owner to prevent option holders from utilizing the options they have purchased.

Recommendations

Disabling pools is a reasonable functionality; however, it should not have an impact on the options that have already been issued. One possible solution would be to allow disabled pools to burn options but not mint new ones.

Remediation

This issue has been acknowledged by Wasabi, and a fix was implemented in commit 28e1245c.

Zellic © 2024Back to top ↑