search

Fujicracy / fuji-v2

Cross-chain money market aggregator
https://fuji-v2-frontend.vercel.app
15 stars 10 forks source link

L-1 Initializing deposit cap #491

Closed 0xdcota closed 1 year ago

0xdcota commented 1 year ago

[L-1] Initializing the deposit cap to type(uint128).max with the option of changing it later through timelock defies its purpose.

Description

The deposit cap is intended to cap the exposure initially. However, Fuji vaults define the deposit cap as type(uint128).max during construction with the option of reducing it through the timelock. 

BaseVault.sol

constructor(
    address asset_,
    address chief_,
    string memory name_,
    string memory symbol_
  )
    ERC20(name_, symbol_)
    SystemAccessControl(chief_)
    VaultPermissions(name_)
  {
         -----
    depositCap = type(uint128).max; 
    ----
  }

This defeats the purpose of the deposit cap, since it allows exceeding the planned deposit cap before the timelock takes effect. Therefore, we classify this issue as medium severity.

Remediation to consider

Consider making a deposit cap a user input during construction.

0xdcota commented 1 year ago

This low impact issue should be linked to #450 .

pedrovalido commented 1 year ago

start the PR from #487 branch. Deposit cap is going to be removed. Address this issue taking this into account

pedrovalido commented 1 year ago

@DaigaroCota Deposit cap will be removed so this issue should be closed.

0xdcota commented 1 year ago

Refer to rationale for decision to close this issue in #528.