search

code-423n4 / 2021-09-bvecvx-findings

0 stars 0 forks source link

`CvxLocker.setBoost` wrong validation #51

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

Vulnerability Details

The CvxLocker.setBoost function does not validate the _max, _rate parameters, instead it validates the already set storage variables.

// @audit this is checking the already-set storage variables, not the parameters
require(maximumBoostPayment < 1500, "over max payment"); //max 15%
require(boostRate < 30000, "over max rate"); //max 3x

Impact

Once wrong boost values are set (which are not validated when they are set), they cannot be set to new values anymore, breaking core contract functionality.

Recommended Mitigation Steps

Implement these two checks instead:

require(_max < 1500, "over max payment"); //max 15%
require(_rate < 30000, "over max rate"); //max 3x
GalloDaSballo commented 3 years ago

This can be an issue as our strat takes those variables at face value

GalloDaSballo commented 3 years ago

As Badger we ended up upgrading the strategy to check for the validity of the inputs

C2tP-C2tP commented 3 years ago

for convex side, we can layer on an admin contract that has the correct checks