In the fee collect modules like FeeCollectModule, the initializePublicationCollectModule checks if the fee amount that each user needs to pay is at least >= BPS_MAX = 10_000.
For certain currencies with fewer decimals this is too restrictive.
As an example, WBTC has 8 decimals and 10_000 WBTC would already be 1e4/1e8 * 50_000$ = 5$ per collect which might be above what the publication owner wants to charge.
Certain currencies can effectively not be used in the system.
Recommended Mitigation Steps
Consider removing the amount restrictions and just checking amount > 0.
Lines of code
https://github.com/code-423n4/2022-02-aave-lens/blob/aaf6c116345f3647e11a35010f28e3b90e7b4862/contracts/core/modules/collect/FeeCollectModule.sol#L72
Vulnerability details
Impact
In the fee collect modules like
FeeCollectModule
, theinitializePublicationCollectModule
checks if the feeamount
that each user needs to pay is at least>= BPS_MAX = 10_000
. For certain currencies with fewer decimals this is too restrictive. As an example,WBTC
has 8 decimals and10_000 WBTC
would already be1e4/1e8 * 50_000$ = 5$
per collect which might be above what the publication owner wants to charge. Certain currencies can effectively not be used in the system.Recommended Mitigation Steps
Consider removing the
amount
restrictions and just checkingamount > 0
.