Omniscia Olympus DAO Audit
VaultOwned Manual Review Findings
VaultOwned Manual Review Findings
VOD-01M: Centralized Sensitive Functionality
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Medium | VaultOwned.sol:L10-L14 |
Description:
The setVault function sets the current _vault in place for onlyVault modifier enforcement, however, it can be invoked an arbitrary number of times, can override the current _vault in place and does not contain an override keyword meaning that it is meant to be invoked by EOAs or similar actors.
Example:
contracts/types/VaultOwned.sol
10function setVault( address vault_ ) external onlyOwner() returns ( bool ) {11 _vault = vault_;12
13 return true;14}Recommendation:
We advise it to potentially disallow over-writing the _vault in place once it has been set once as otherwise, it can become a single point of failure for the system. Additionally, we advise the returned bool to be omitted given that it is always true and is a non-standard function.
Alleviation:
The Olympus DAO team considered this exhibit but decided to retain the current behaviour of the code in place.