Comments (4)
ajb413
commented on July 28, 2024
1
I think that we should always disclose known risks in the documentation if we are aware of them. If we decide to add extra defenses we should document that as well. I'd say a good spot is in the docs in the governance section for approveThis https://github.com/compound-finance/comet/tree/main/docs#erc-20-approve-manager-address
from comet.
ajb413
commented on July 28, 2024
1
Added note to the docs here #414
from comet.
kevincheng96
commented on July 28, 2024
The main intention for having approveThis is to allow governance to transfer out any ERC20s accidentally sent to Comet. We do recognize the ability for governance to give approval for the base and collateral assets and transfer out user funds.
However, as you noted, this will likely require a governance attack. We'd like to point out that in the case of a governance attack, the attacker would not even need approveThis to steal user funds as they could upgrade the implementation of Comet to whatever they please.
@ajb413 Do you think this governance attack risk is worth documenting, and if so, where would be the best spot to detail this risk?
from comet.
kevincheng96
commented on July 28, 2024
Sounds good, thanks Adam!
from comet.
Related Issues (20)
- [N10] Use of Global imports HOT 1
- [N11] Potential front-run HOT 1
- [N12] Potential reentrancies HOT 1
- [N13] Repetitive code HOT 1
- [N14] Typos HOT 1
- [N15] Unnecessary return values HOT 1
- [N16] Lack of explicitness on data type sizes HOT 2
- [N17] `PRICE_SCALE` constant is not used HOT 1
- [N18] Wrong value emitted in event
- pauseGuardianSigner is null HOT 1
- Derive asset addresses in deploy script from `configuration.json`
- Addresses in `relations.ts` should be case-insensitive HOT 2
- BulkerScenario.ts should bump supply caps in testing
- Goland SDK client HOT 2
- too many errors
- Missing events
- Spider tool can't crawl base with basic infura key HOT 1
- Update project to use Node.js 18 or 20 LTS (16 was end of life September 2023)
- Spider tool: fails to crawl create2 contracts produced by internal tx HOT 1
- Arbitrum USDT Migration
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from comet.