QA Report

[code423n4]

Title : Missing input validation for values which should not be greater than 1

Impact

Various contracts allow update to some config or parameter values which should be never greater than 1. The input validation for such a check is missing during these update functions. In the event such values of greater than 1 are accepted, then it may result in unpredictable behavior or panic.

Proof of Concept

Listed below some of these which should be checked.

1

Config : max_borrow_factor Contract : money-market-contracts/contracts/market/src/contract.rs Function : pub fn update_config(...) Line 321 :

    if let Some(max_borrow_factor) = max_borrow_factor {
        config.max_borrow_factor = max_borrow_factor;
    }

2

Config : base_rate Contract : money-market-contracts/contracts/interest_model/src/contract.rs Function : pub fn update_config(...) Line 74 :

    if let Some(base_rate) = base_rate {
        config.base_rate = base_rate;
    }

3

Config : interest_multiplier Contract : money-market-contracts/contracts/interest_model/src/contract.rs Function : pub fn update_config(...) Line 78 :

    if let Some(interest_multiplier) = interest_multiplier {
        config.interest_multiplier = interest_multiplier;
    }

Recommended Mitigation Steps

Its recommended to add a check that the values for these configs are not more than 1.