Skip to content

Latest commit

 

History

History
44 lines (24 loc) · 1.75 KB

File metadata and controls

44 lines (24 loc) · 1.75 KB

Low Cloth Rabbit

Medium

[M-2] Wrong MAX_TOTAL_FEES allows total fees to be set up to 100% instead of the expected 10%

Summary

According to the contest's ReadMe under the section Are there any limitations on values set by admins (or other roles) in the codebase, including restrictions on array lengths?, the dev team said Maximum total fees cannot exceed 10%.

Since fees are expressed in basis points, where 10_000 == 100%, the expected MAX_TOTAL_FEES should be 1_000, but the code sets uint256 public constant MAX_TOTAL_FEES = 10000;. This allows the admin to bypass the expected 10% limit on max fees unintentionally.

For reference, the contest's ReadMe also says that Maximum total slash cannot exceed 10%, and the variable uint256 public constant MAX_SLASH_PERCENTAGE = 1000; is set to 1_000. This further enforces the fact that MAX_TOTAL_FEES should also be 1_000.

Root Cause

The constant variable uint256 public constant MAX_TOTAL_FEES = 10000; is declared as 10_000 instead of 1_000. The fees can be set to 100%.

Internal pre-conditions

N/A

External pre-conditions

N/A

Attack Path

Admin calls checkFeeExceedsMaximum function trying to increase the fees, expecting that if fees are > 10% or 1_000 basis points the call will revert. Since fees can be set up to 100%, this function will only revert if fees go beyond 100%, breaking a core invariant of the protocol.

Impact

Loss of funds for users, fees can be more than the expected 10%.

PoC

Not needed.

Mitigation

-    uint256 public constant MAX_TOTAL_FEES = 10000;
+    uint256 public constant MAX_TOTAL_FEES = 1000;