GalloDaSballo
commented
2 years ago I agree with the lack of validation being a low severity finding The risk is posed in the ability of the owner to set values that can potentially grief depositors or brick the protocol
I disagree with events, you can filter them via the eth_rpc endpoint and find the function calls to the contract
Handle
leastwood
Vulnerability details
Impact
Several functions in
Factory.soldo not emit events for state changes performed, making it difficult to log changes in frontend applications. The inputs of these functions are also not validated. These should be validated to ensure the new values are properly bounded and do not break functionality.Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/main/contracts/contracts/Factory.sol#L39-L59
Tools Used
Manual code review
Recommended Mitigation Steps
Consider logging events for any state changes made. Additionally, ensure the new values fit within expected ranges.