talegift
commented
2 years ago Required an admin error. Set severity to 0.
Open code423n4 opened 2 years ago
talegift
commented
2 years ago Required an admin error. Set severity to 0.
ghoul-sol
commented
2 years ago For the same reason as #61, keeping low risk
Handle
0xRajeev
Vulnerability details
Impact
The desired constraint is for highRate to be > lowRate and is checked as such in setLowRate setter. However, highRate can be changed at any/later point by using the setHighRate setter which can set it to a value lower than lowRate because that constraint is not checked/enforced in setHighRate setter.
Proof of Concept
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L55-L58
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/InterestRateModel.sol#L50
Tools Used
Manual Analysis
Recommended Mitigation Steps
Check that highRate is > lowRate in setHighRate setter. If both need to be changed, then provide a combined setter for all three min/low/high rates which enforces the threshold checks on all three new values at once.