code-423n4 / 2022-06-nested-findings

0 stars 1 forks source link

Wrong initial value of exitFees and EntryFees #100

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-nested/blob/b4a153c943d54755711a2f7b80cbbf3a5bb49d76/contracts/NestedFactory.sol#L159 https://github.com/code-423n4/2022-06-nested/blob/b4a153c943d54755711a2f7b80cbbf3a5bb49d76/contracts/NestedFactory.sol#L167 https://github.com/code-423n4/2022-06-nested/blob/b4a153c943d54755711a2f7b80cbbf3a5bb49d76/contracts/NestedFactory.sol#L57

Vulnerability details

Impact

L49/53/159/167 - The exitFees and entryFees variables can only have values between 1 and 10000, which represent 0.01% and 100%, but since it is not set in the constructor, the default value is 0, a value that is incorrect.

Recommended Mitigation Steps

It should be set in the constructor and set a correct value, otherwise it would generate an erroneous behavior.

obatirou commented 2 years ago

Wrong initial value of exitFees and EntryFees (disputed).

It is set after the proxy upgrade, can be done atomically using a script (OwnerProxy).

jack-the-pug commented 2 years ago

And why 0 can not be a correct initial value? I find this issue invalid.