Open code423n4 opened 1 year ago
0xScotch marked the issue as sponsor disputed
This is the desired behaviour. If we have enough capital to sustain pay the current APR for the desired runway then there is no need to apply any cap. The cap is there to avoid runaway situations that drain capital due to inflated APR. That is not a problem if we already have a full runway
It is correct though that if aprFloor
is increased above targetAPR
, it won't be applied if deficit == 0
.
Downgrading to low as it seems that this only impacts when the new admin settings will be applied.
Picodes changed the severity to QA (Quality Assurance)
Picodes marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-02-malt/blob/main/contracts/RewardSystem/RewardThrottle.sol#L154-L170
Vulnerability details
Impact
Cap is not applied when
runwayDeficit
= 0, sotargetAPR
can be an invalid value.Proof of Concept
In
RewardThrottle.updateDesiredAPR
, targetAPR will be decreased whencashflowAverageApr < targetCashflowApr
When overflow balance is enough to cover current targetAPR, there is no deficit and
runwayDeficit
returns 0 fordeficit
. Whendeficit
== 0,targetAPR
will not be updated soupdateDesiredAPR
only updates apr updated time and ends withreturn
. ButaprCap
andaprFloor
can be updated by the admin after the last update oftargetAPR
. SotargetAPR
should be capped byaprCap
andaprFloor
though it is not changed at all whendeficit
== 0. There is another early return logic inupdateDesiredAPR
before apr update period, but it's correct to skip capping because it does nothing in this case.Tools Used
Manual Review
Recommended Mitigation Steps
Apply
aprCap
andaprFloor
totargetAPR
even though it is not changed at all whendeficit
== 0.