search

code-423n4 / 2022-06-infinity-findings

4 stars 0 forks source link

No limits for updatePenalties and lack of event emission in a critical function #281

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/staking/InfinityStaker.sol#L364-L372

Vulnerability details

PoC

In the function updatePenalties#InfinityExchange.sol 

function updatePenalties(
uint16 threeMonthPenalty,
uint16 sixMonthPenalty,
uint16 twelveMonthPenalty
) external onlyOwner {
THREE_MONTH_PENALTY = threeMonthPenalty;
SIX_MONTH_PENALTY = sixMonthPenalty;
TWELVE_MONTH_PENALTY = twelveMonthPenalty;

}

There are not limits and also as this is a critical function lack of event emission is crucial as user need to be aware of penalties at the time of call rageQuit

Recommended

Add a maximum reasonable for penalties and emit an event

nneverlander commented 2 years ago

Duplicate

HardlyDifficult commented 2 years ago

Fair consideration. Lowering risk and converting this into a QA report for the warden.