handleFees() will revert if licenseFee is too high #52
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Warden finding
Comments
code423n4
added
1 (Low Risk)
|
Agree with finding, mitigation is to add a limit to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
gpersoon
Vulnerability details
Impact
The function handleFees() will revert if feePct >BASE
==> feePct = timeDiff * licenseFee / ONE_YEAR;
==> BASE < timeDiff * licenseFee / ONE_YEAR;
==> licenseFee > BASE * ONE_YEAR / timeDiff
So licenseFee should have a maximum value to prevent this.
Probably there is also a reasonable upperlimit to licenseFee the let the protocol function properly.
Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/main/contracts/contracts/Basket.sol#L110
function handleFees() private {
..
uint256 timeDiff = (block.timestamp - lastFee);
uint256 feePct = timeDiff * licenseFee / ONE_YEAR;
uint256 fee = startSupply * feePct / (BASE - feePct); // will revert if feePct > BASE
Tools Used
Recommended Mitigation Steps
Define an upperlimit for licenseFee
Enforce this in the function proposeBasketLicense() of Factory.sol
The text was updated successfully, but these errors were encountered: