Commission Fee Validation Absent

Severity

Medium Risk

Summary

Vulnerability Details

The "DistributionTest" contract includes a commented-out portion of the code where commission fee values are checked. The validation of commission fee values is important to ensure that they fall within an acceptable range. Without proper commission fee validation, the contract might allow invalid commission fee values, which could lead to unexpected behavior, vulnerabilities, or even financial losses.

Impact

If commission fee values are not properly validated, attackers could potentially manipulate the contract by providing malicious commission fee values that are not intended. This could result in incorrect calculations, unexpected distribution outcomes, or other security issues.

// function testIfCommissionFeeIsOutOfRangeThenRevert() public {
//     // 0%
//     new Distributor(factoryAdmin, stadiumAddress, 0);
//     // 10%
//     new Distributor(factoryAdmin, stadiumAddress, 1000);
//     // revert
//     vm.expectRevert(Distributor.Distributor__InvalidCommissionFee.selector);
//     new Distributor(factoryAdmin, stadiumAddress, 1001);
//     // revert
//     vm.expectRevert(Distributor.Distributor__InvalidCommissionFee.selector);
//     new Distributor(factoryAdmin, stadiumAddress, 10001);
//     // revert
//     vm.expectRevert(Distributor.Distributor__InvalidCommissionFee.selector);
//     new Distributor(factoryAdmin, stadiumAddress, 20000);
// }

Tools Used

Manual

Recommendations

Uncomment the code section related to commission fee validation. Implement proper validation logic to ensure that commission fee values fall within an acceptable range (e.g., between 0 and a maximum value).
Consider using a constant or a parameter to define the maximum commission fee value to avoid hardcoding. By implementing commission fee validation, you can prevent the usage of invalid commission fee values and ensure the security and reliability of the contract's distribution mechanism.

Cyfrin / 2023-08-sparkn