GalloDaSballo
commented
2 years ago Have to agree that a check is missing here
Open code423n4 opened 2 years ago
GalloDaSballo
commented
2 years ago Have to agree that a check is missing here
jack-the-pug
commented
2 years ago Downgrading to QA as even with minDiscount set larger than MAX_BPS, the only impact will be setDiscount() always revert, so that the admin need to setDiscountLimits() correctly first.
https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/Funding.sol#L265-L271
Lines of code
https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/Funding.sol#L356
Vulnerability details
Unlike maxDiscount, minDiscount is missing some sanity checks: minDiscount should be smaller than MAX_BPS minDoscount should be smaller than maxDiscount