talegift
commented
2 years ago Requires admin error. Lower severity to 0.
Open code423n4 opened 2 years ago
talegift
commented
2 years ago Requires admin error. Lower severity to 0.
ghoul-sol
commented
2 years ago Sponsor is correct, however I see a logical error here. Low risk is correct.
Handle
0xRajeev
Vulnerability details
Impact
The desired constraint is for minRate to be < lowRate and is checked as such in setMinRate setter. However, lowRate can be changed at any/later point by using the setLowRate setter which can set it to a value lower than minRate because that constraint is not checked/enforced in setLowRate setter.
Proof of Concept
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L44
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L49-L53
Tools Used
Manual Analysis
Recommended Mitigation Steps
Check that lowRate is > minRate in setLowRate setter