HickupHH3
commented
1 year ago 1.4. A malicious owner can keep the fee rate at zero, but if a large value transfer enters the mempool, the owner can jack the rate up to the maximum The PuttyV2.withdraw() function fetches the current fee from the contract's state. This fee can be changed by the Admin/DAO.
File: PuttyV2.sol 257: function setFee(uint256 _fee) public payable onlyOwner { 258: require(_fee < 30, "fee must be less than 3%"); 259: 260: fee = _fee; 261: 262: emit NewFee(_fee); 263: } 264: Mitigation: Make sure a governance timelock is in place.
dup of #422
Judge has assessed an item in Issue #390 as Medium risk. The relevant finding follows: