Omniscia Bonq Audit
trove-factory Manual Review Findings
trove-factory Manual Review Findings
TRE-01M: Inexplicable Capability of Re-Invocation
| Type | Severity | Location |
|---|---|---|
| Centralization Concern |  | trove-factory.sol:L225-L230, L232-L237, L239-L244, L246-L251, L253-L260 |
Description:
The linked configuration setter functions can be invoked an arbitrary number of times.
Example:
contracts/trove-factory.sol
253/**254 * @dev sets contract address of Wrapped native token, along with liquidationPool255 */256// solhint-disable-next-line var-name-mixedcase257function setWETH(address _WETH, address _liquidationPool) external override onlyOwner {258 WETHContract = IWETH(_WETH);259 setLiquidationPool(_WETH, _liquidationPool);260}Recommendation:
We advise them to be invoke-able only once as adjustments beyond the first initialization one should not be required.
Alleviation:
The Bonq Protocol team has partially fixed the issue by making setWETH only invokable once while the rest configuration setter functions are still invokable an arbitrary number of times.