In StreamFactory, the protocol max fee is defined to be 500.
However in Stream, it is checked whether the protocol fee is < 10000 (total basis points).
Impact
I think this might be considered "function incorrect as to spec" and this is why I rated this issue low severity.
At the very least this issue can raise some confusion when reading the code.
Proof of Concept
In StreamFactory, max fee is hardcoded to be 500:
` ``
uint16 constant MAX_FEE_PERCENT = 500; // 500/10000 == 5%
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L773
And upon update of fee, it is checked against that variable:
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L851
In Stream, the fee percent is limited to 10000.
require(feePercent < 10000, "fee");
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L286
## Recommended Mitigation Steps
I suggest having the two values match - either by reading the max fee from the factory, or by hardcoding it to match.
brockelmore
commented
2 years ago
Handle
kenzo
Vulnerability details
In StreamFactory, the protocol max fee is defined to be 500. However in Stream, it is checked whether the protocol fee is < 10000 (total basis points).
Impact
I think this might be considered "function incorrect as to spec" and this is why I rated this issue low severity. At the very least this issue can raise some confusion when reading the code.
Proof of Concept
In StreamFactory, max fee is hardcoded to be 500: ` `` uint16 constant MAX_FEE_PERCENT = 500; // 500/10000 == 5%
require(newFeeParams.feePercent <= MAX_FEE_PERCENT, "fee");
require(feePercent < 10000, "fee");