talegift
commented
2 years ago The primary concern seems to be increasing clarity. As it's not a bug, I suggest decreasing severity to 0.
Open code423n4 opened 2 years ago
talegift
commented
2 years ago The primary concern seems to be increasing clarity. As it's not a bug, I suggest decreasing severity to 0.
ghoul-sol
commented
2 years ago Best practices, non-critical
Handle
0xRajeev
Vulnerability details
Impact
Use of correct/informative error messages helps troubleshoot exceptional conditions during transaction failures or unexpected behavior. Missing/incorrect/misleading error strings waste crucial time during exploits or emergency conditions.
For reference, see Note 2 in OpenZeppelin's Audit of Compound Governor Bravo: https://blog.openzeppelin.com/compound-governor-bravo-audit/
The error messages should typically be the inverse/opposite of the check performed in the require(). The error messages in contracts here are not the inverse and in a few cases are copy-pasted incorrectly from other checks which is misleading.
Proof of Concept
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L50
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L61
Tools Used
Manual Analysis
Recommended Mitigation Steps
Use correct/informative error messages with require() statements.