CDaiDelegate Manual Review Findings

CDD-01M: Inconsistent Access Control

Description:

The linked require checks seem to be unadjusted code from the original Compound codebase and do not conform to the new access-control paradigm of utilizing the hasAdminRights() utility function that contains additional checks.

Example:

Copy
30function _becomeImplementation(bytes memory data) public {
31    require(msg.sender == admin, "only the admin may initialize the implementation");
32
33    (address daiJoinAddress_, address potAddress_) = abi.decode(data, (address, address));
34    return _becomeImplementation(daiJoinAddress_, potAddress_);
35}

Recommendation:

We advise them to be replaced by proper invocations of the hasAdminRights() inherited function.

Alleviation:

The Rari team responded by stating that they slimmed down the codebase prior to the audit and reverted certain changes they had made to the admin-specific access control imposed on certain functions. In the latest commit, they have restored all references to hasAdminRights() ensuring proper enforcement of the new access control system.