Lone Wintergreen Rattlesnake
Medium
The missing verification check in IndexManager.sol will cause potential user exposure to unsafe or malicious pods as creators can make their unverified indexes visible in the UI without protocol team validation.
struct IIndexAndStatus {
address index; // aka pod
address creator;
--> bool verified; // whether it's a safe pod as confirmed by the protocol team
bool selfLending; // if it's an LVF pod, whether it's self-lending or not
bool makePublic; // whether it should show in the UI or not
}In IndexManager.sol:updateMakePublic() there is a missing check to verify that an index has been verified by the protocol team before allowing it to be made public in the UI. The function only checks that the caller is either the owner, authorized, or the creator, but does not enforce that verified = true before allowing makePublic = true.
- A pod creator needs to deploy a new index through
deployNewIndex()to create an unverified index - The index's verified status needs to be false
- The index's
makePublicstatus needs to be false
No response
- Malicious actor creates a new index through deployNewIndex() which starts as unverified
- The actor calls updateMakePublic(index, true) on their unverified index
- The index becomes visible in the UI despite not being verified by the protocol team
- Users may interact with an unsafe or malicious index thinking it has been vetted
Users of the protocol suffer potential exposure to unverified and potentially malicious indexes that appear in the UI without protocol validation.
No response
Add a verification check in the updateMakePublic function