search

code-423n4 / 2021-09-wildcredit-findings

0 stars 0 forks source link

Lack of input validation #56

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

0xRajeev

Vulnerability details

Impact

Input validation for protocol’s non-address parameters is critical similar to zero-address checks for address parameters. While the onlyOwner setters of InterestRateModel perform input validation via threshold checks, the constructor is missing these checks which will allow the contract to be accidentally deployed with incorrect protocol parameters.

Proof of Concept

https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L37-L40

https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L44

https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L50

https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L61

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add input validation to constructor similar to what’s done in setters.

talegift commented 2 years ago

Required admin error. Set severity to 0.

ghoul-sol commented 2 years ago

I'm keeping only one "zero-address" validation issue per warden. This is duplicate of #54 from the same warden. Invalid.