Consider adding range check for new reserve value in setReserveFactor

aave / aave-v3-core

This repository contains the core smart contracts of the Aave V3 protocol.

https://aave.com

Other

876 stars 572 forks source link

Consider adding range check for new reserve value in setReserveFactor #439

Closed foodaka closed 2 years ago

foodaka commented 2 years ago

Identified By

ABDK

Scope

There is not range check for the new reserve factor value in PoolConfigurator.sol.
'247 function setReserveFactor(address asset, uint256 reserveFactor)

LHerskind commented 2 years ago

The setReserveFactor() from the PoolConfigurator.sol is calling ReserveConfiguration::setReserveFactor() which performs the following check:

require(reserveFactor <= MAX_VALID_RESERVE_FACTOR, Errors.RC_INVALID_RESERVE_FACTOR);

See https://github.com/aave/aave-v3-core/blob/fbe5e967b10dad1b265105eb9e7d853e832515dc/contracts/protocol/libraries/configuration/ReserveConfiguration.sol#L321

The-3D commented 2 years ago

I think it's worth to enforce that reserveFactor <= PercentageMath.PERCENTAGE_FACTOR. The check inReserveConfiguration only enforces that the passed value is lower or equal than the maximum that can be stored in the field

miguelmtzinf commented 2 years ago

Submitted #504 to address this issue