HickupHH3
commented
2 years ago BathToken admin can set feeBPS to 100% The BathToken admin can set feeBPS to 100%, which would claim all withdrawals as fees. Additionally, a malicious admin could observe and frontrun withdrawal transactions to increase the fee value and claim additional fees.
/// @notice Admin-only function to set a Bath Token's feeBPS
function setFeeBPS(uint256 _feeBPS) external onlyBathHouse {
feeBPS = _feeBPS;
}Recommendation: Set and validate an upper bound on fees. Ensure the admin account is controlled by a timelock with a reasonable delay for parameter changes to mitigate frontrunning risk.
dup of #21
Judge has assessed an item in Issue #435 as Medium risk. The relevant finding follows: