YetiFinanceTreasury.sol#updateTeamWallet()
should implement two-step transfer pattern
#251
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
Handle
WatchPug
Vulnerability details
https://github.com/code-423n4/2021-12-yetifinance/blob/5f5bf61209b722ba568623d8446111b1ea5cb61c/packages/contracts/contracts/YetiFinanceTreasury.sol#L28-L30
YetiFinanceTreasury.teamWallet
is a critical role, if the currentteamWallet
mistakenly calledupdateTeamWallet()
with a wrong address, it can result in all theonlyTeam()
methods being unaccessible, and it cannot be undo.Recomandation
Consider changing the
updateTeamWallet()
function to first nominate an address as the pendingteamWallet
and adding anacceptTeamWallet()
function which is called by the pendingteamWallet
to confirm the transfer.The text was updated successfully, but these errors were encountered: