code423n4 commented 2 years ago

Handle

goatbug

Vulnerability details

Impact

function setMinLicenseFee(uint256 newMinLicenseFee) public override onlyOwner {
    minLicenseFee = newMinLicenseFee;
}

function setAuctionDecrement(uint256 newAuctionDecrement) public override onlyOwner {
    auctionDecrement = newAuctionDecrement;
}

Proof of Concept

Both min license fee and auction decrement have no restrictions on the values that can be set.

This can be critical and block the contract if a too high value or zero value is set.

I.e. the min license fee could be set higher than the total amount, causing revert.

Similar applies with the decrement.

Tools Used

Recommended Mitigation Steps

frank-beard commented 2 years ago

it is assumed the owner is trustworthy in this version of the protocol, however we will add mitigations and further decentralization in future updates

GalloDaSballo commented 2 years ago

Duplicate of #119

code-423n4 / 2021-09-defiprotocol-findings