This repository was archived by the owner on Mar 2, 2025. It is now read-only.
Rhaydden - Missing update functionality for compatibilityFallback in setParam function
#43
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
sherlock-admin3
added
Sponsor Confirmed
github-actions
bot
added
the
Excluded
|
This seems to be low due to sponsor's comment:
|
sherlock-admin2
changed the title
compatibilityFallback in setParam functioncompatibilityFallback in setParam function
|
PR fix: sense-finance/rumpel-wallet#5 |
|
The protocol team fixed this issue in the following PRs/commits: |
|
The Lead Senior Watson signed off on the fix. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Rhaydden
Medium
Missing update functionality for
compatibilityFallbackinsetParamfunctionSummary
The
RumpelWalletFactorycontract has no ability to update thecompatibilityFallbackaddress after deployment. This could lead to issues if the fallback handler needs to be changed due to upgrades or bugs.Vulnerability Detail
In the
RumpelWalletFactory.sol, thecompatibilityFallbackaddress is set during the contract's construction. However, thesetParamfunction, which allows the owner to update various parameters, does not include an option to update thecompatibilityFallbackaddress. This omission technically means that once the contract is deployed, thecompatibilityFallbackaddress cannot be changed.Impact
This will render the contract useless. According to Sherlock docs:
The inability to update the
compatibilityFallbackaddress could result in the need to redeploy the entire contract entirely if the fallback handler needs to be changed. This could be due to an upgrade, a bug in the fallback handler, or other issues.Code Snippet
https://github.com/sherlock-audit/2024-07-sense-points-marketplace/blob/main/rumpel-wallet/src/RumpelWalletFactory.sol#L85-L93
Tool used
Manual Review
Recommendation
Add an option to update the
compatibilityFallbackaddress in thesetParamfunction:function setParam(bytes32 what, address data) external onlyOwner { if (what == "PROXY_FACTORY") proxyFactory = ISafeProxyFactory(data); else if (what == "SAFE_SINGLETON") safeSingleton = data; else if (what == "RUMPEL_MODULE") rumpelModule = data; else if (what == "RUMPEL_GUARD") rumpelGuard = data; else if (what == "INITIALIZATION_SCRIPT") initializationScript = data; + else if (what == "COMPATIBILITY_FALLBACK") compatibilityFallback = data; // Add this line else revert UnrecognizedParam(what); emit ParamChanged(what, data); }The text was updated successfully, but these errors were encountered: