code-423n4 / 2021-09-defiprotocol-findings

1 stars 0 forks source link

Protocol owner fee limit not verified correctly (Factory.sol) #127

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

ye0lde

Vulnerability details

Impact

Per the info section of the "Readme": The protocol owner fee split must be less than 20% of the basket's license fee.

The function setOwnerSplit (in Factory.sol) allows a fee of less than or equal to 20%.

Proof of Concept

The "protocol owner fee" requirement is documented here: https://github.com/code-423n4/2021-09-defiProtocol#readme

The "protocol owner fee" is verified and set here: https://github.com/code-423n4/2021-09-defiProtocol/blob/52b74824c42acbcd64248f68c40128fe3a82caf6/contracts/contracts/Factory.sol#L55-L59

Tools Used

Visual Studio Code

Recommended Mitigation Steps

Set the "require" statement below to "< 2e17" or change the documentation to reflect the actual requirement. require(newOwnerSplit <= 2e17); // 20%

Consider making the protocol owner fee limit ("2e17") a constant.

GalloDaSballo commented 2 years ago

Agree with finding will not bump to 1 just because it's really not-critical