Low Cloth Rabbit
Medium
According to the contest's ReadMe under the section Are there any limitations on values set by admins (or other roles) in the codebase, including restrictions on array lengths?, the dev team said Maximum total fees cannot exceed 10%.
Since fees are expressed in basis points, where 10_000
== 100%, the expected MAX_TOTAL_FEES
should be 1_000
, but the code sets uint256 public constant MAX_TOTAL_FEES = 10000;
. This allows the admin to bypass the expected 10% limit on max fees unintentionally.
For reference, the contest's ReadMe also says that Maximum total slash cannot exceed 10%, and the variable uint256 public constant MAX_SLASH_PERCENTAGE = 1000;
is set to 1_000. This further enforces the fact that MAX_TOTAL_FEES
should also be 1_000.
The constant variable uint256 public constant MAX_TOTAL_FEES = 10000;
is declared as 10_000 instead of 1_000. The fees can be set to 100%.
N/A
N/A
Admin calls checkFeeExceedsMaximum
function trying to increase the fees, expecting that if fees are > 10% or 1_000 basis points the call will revert. Since fees can be set up to 100%, this function will only revert if fees go beyond 100%, breaking a core invariant of the protocol.
Loss of funds for users, fees can be more than the expected 10%.
Not needed.
- uint256 public constant MAX_TOTAL_FEES = 10000;
+ uint256 public constant MAX_TOTAL_FEES = 1000;