Omniscia AllianceBlock Audit
MPProviderFacet Manual Review Findings
MPProviderFacet Manual Review Findings
MPP-01M: Inexistent Direct Invocation Protection
Type | Severity | Location |
---|---|---|
Logical Fault | MPProviderFacet.sol:L15 |
Description:
The referenced function is meant to act as a form of state initiation yet does not impose any access control on the logic contract's implementation.
Impact:
While inconsequential in this instance, it is always best practice to not allow the logic contract implementation to be tampered with.
Example:
contracts/facets/MPProviderFacet.sol
11/**12 * @notice sets the state for the MPProviderFacet13 * @dev This method is never attached on the diamond14 */15function state(bytes memory data_) external {}
Recommendation:
We advise the function to be solely accessible via delegatecall
instructions by storing the address(this)
evaluation to an immutable
contract variable and ensuring that address(this) != self
when the MPProviderFacet::state
function is invoked, guaranteeing that the function can only be accessed via delegatecall
instructions.
Alleviation (54fd570de24631ca65a7cea022aebe43225a08c7):
The MPProviderFacet::state
function has been removed altogether, alleviating this exhibit as a side-effect.