strictly-scarce
commented
3 years ago Intended to be 5-10 as per discussion with community. The DAO will have extra functionality to expand.
How is this medium-risk?
Open code423n4 opened 3 years ago
strictly-scarce
commented
3 years ago Intended to be 5-10 as per discussion with community. The DAO will have extra functionality to expand.
How is this medium-risk?
Handle
0xRajeev
Vulnerability details
Impact
The default value of curatedPoolLimit only allows one curated pool at any time. This can be changed with setParams() but DAO does not have this functionality.
This will affect the scalability of the protocol and significantly limit the liquidity pool value proposition.
Proof of Concept
https://github.com/code-423n4/2021-04-vader/blob/3041f20c920821b89d01f652867d5207d18c8703/vader-protocol/contracts/Router.sol#L85
https://github.com/code-423n4/2021-04-vader/blob/3041f20c920821b89d01f652867d5207d18c8703/vader-protocol/contracts/Router.sol#L96
https://github.com/code-423n4/2021-04-vader/blob/3041f20c920821b89d01f652867d5207d18c8703/vader-protocol/contracts/Router.sol#L227
Tools Used
Manual Analysis
Recommended Mitigation Steps
Change curatedPoolLimit to a higher value on L85.