search

code-423n4 / 2021-11-streaming-findings

0 stars 0 forks source link

In-consistency in feePercent check in StreamFactory.updateFeeParams() and Stream.constructor() #269

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

hubble

Vulnerability details

There needs to be consistency in checking the feePercent value in StreamFactory.updateFeeParams() versus Stream.constructor()

Impact

The check for feePercent in Stream.constructor() is redundant, however if required to be checked, then the max value to be checked should be consistent with the value in StreamFactory.updateFeeParams()

Proof of Concept

File :Locke.sol Contract / Function : StreamFactory / updateFeeParams() Line : 851 function updateFeeParams(GovernableFeeParams memory newFeeParams) public governed { require(newFeeParams.feePercent <= MAX_FEE_PERCENT, "fee");

Contract / Function : Stream / constructor() Line : 285 // limit feePercent require(feePercent < 10000, "fee");

Tools Used

Manual review

Recommended Mitigation Steps

Option 1: Remove the check for feePercent if redundnat in Stream.cosntructor()

Option 2: define the same constant MAX_FEE_PERCENT in Stream contract storage uint16 constant MAX_FEE_PERCENT = 500; // 500/10000 == 5%

and udpate the value to check against in Stream.constructor() // limit feePercent require(feePercent <= MAX_FEE_PERCENT, "fee");

brockelmore commented 2 years ago

duplicate #246