There needs to be consistency in checking the feePercent value in StreamFactory.updateFeeParams() versus Stream.constructor()
Impact
The check for feePercent in Stream.constructor() is redundant, however if required to be checked, then the max value
to be checked should be consistent with the value in StreamFactory.updateFeeParams()
Proof of Concept
File :Locke.sol
Contract / Function : StreamFactory / updateFeeParams()
Line : 851
function updateFeeParams(GovernableFeeParams memory newFeeParams) public governed {
require(newFeeParams.feePercent <= MAX_FEE_PERCENT, "fee");
Contract / Function : Stream / constructor()
Line : 285
// limit feePercent
require(feePercent < 10000, "fee");
Tools Used
Manual review
Recommended Mitigation Steps
Option 1:
Remove the check for feePercent if redundnat in Stream.cosntructor()
Option 2:
define the same constant MAX_FEE_PERCENT in Stream contract storage
uint16 constant MAX_FEE_PERCENT = 500; // 500/10000 == 5%
and udpate the value to check against in Stream.constructor()
// limit feePercent
require(feePercent <= MAX_FEE_PERCENT, "fee");
Handle
hubble
Vulnerability details
There needs to be consistency in checking the feePercent value in StreamFactory.updateFeeParams() versus Stream.constructor()
Impact
The check for feePercent in Stream.constructor() is redundant, however if required to be checked, then the max value to be checked should be consistent with the value in StreamFactory.updateFeeParams()
Proof of Concept
File :Locke.sol Contract / Function : StreamFactory / updateFeeParams() Line : 851 function updateFeeParams(GovernableFeeParams memory newFeeParams) public governed { require(newFeeParams.feePercent <= MAX_FEE_PERCENT, "fee");
Contract / Function : Stream / constructor() Line : 285 // limit feePercent require(feePercent < 10000, "fee");
Tools Used
Manual review
Recommended Mitigation Steps
Option 1: Remove the check for feePercent if redundnat in Stream.cosntructor()
Option 2: define the same constant MAX_FEE_PERCENT in Stream contract storage uint16 constant MAX_FEE_PERCENT = 500; // 500/10000 == 5%
and udpate the value to check against in Stream.constructor() // limit feePercent require(feePercent <= MAX_FEE_PERCENT, "fee");