Closed code423n4 closed 2 years ago
naps62
commented
2 years ago I don't think this is a real issue with the contracts. Also, for what it's worth, if one assumes a malicious governor contract, then this wouldn't be the first major concern to have
naps62
commented
2 years ago This will not be checked. There's no good way to fix this, other than to come up with a completely arbitrary max number, which will invariantly have to be "too high" as well (e.g.: 40%) since we can't predict the future, and will itself raise more eyebrows
Handle
Dravee
Vulnerability details
Impact
BaseStrategy:perfFeePctcan be 100% in the case of malicious/faulty governor contractProof of Concept
https://github.com/code-423n4/2022-01-sandclock/blob/main/sandclock/contracts/strategy/BaseStrategy.sol#L249-L253
Tools Used
VS Code
Recommended Mitigation Steps
Set a max fee. That would also raise trust.