Closed code423n4 closed 2 years ago
I don't think this is a real issue with the contracts. Also, for what it's worth, if one assumes a malicious governor contract, then this wouldn't be the first major concern to have
This will not be checked. There's no good way to fix this, other than to come up with a completely arbitrary max number, which will invariantly have to be "too high" as well (e.g.: 40%) since we can't predict the future, and will itself raise more eyebrows
Handle
Dravee
Vulnerability details
Impact
BaseStrategy:perfFeePct
can be 100% in the case of malicious/faulty governor contractProof of Concept
https://github.com/code-423n4/2022-01-sandclock/blob/main/sandclock/contracts/strategy/BaseStrategy.sol#L249-L253
Tools Used
VS Code
Recommended Mitigation Steps
Set a max fee. That would also raise trust.