Open code423n4 opened 2 years ago
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L167-L170 https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L131
An invalid affiliateFee amount set by owner can result in all accumulated protocol revenue to be sent to the affiliate (FEE_ADDRESS).
affiliateFee
FEE_ADDRESS
9990
Staking.sol
0
1_000_000
1000
10
(10 * 1_000_000 / 10_000) == 1000
VIM
Check against a reasonable upper bound (e.g.: 10% of BASIS_POINTS) when setting affiliateFee through the setAffiliateFee() function.
BASIS_POINTS
setAffiliateFee()
duplicate #211
toshiSat
commented
2 years ago toshiSat
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L167-L170 https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L131
Vulnerability details
Impact
An invalid
affiliateFeeamount set by owner can result in all accumulated protocol revenue to be sent to the affiliate (FEE_ADDRESS).Proof of Concept
9990TOKE tokens in revenue and accumulates it inStaking.sol.affiliateFeefrom0to1_000_000(10,000%) instead of1000(10%) by mistake.10TOKE tokens are received as reward.(10 * 1_000_000 / 10_000) == 1000, which is all the protocol revenue in the contract.Tools Used
VIM
Recommended Mitigation Steps
Check against a reasonable upper bound (e.g.: 10% of
BASIS_POINTS) when settingaffiliateFeethrough thesetAffiliateFee()function.