Invariants ensure system health. Function setStakingRewardSplit() ensures that stakingRewardSplit <= MAX_REWARD_SPLIT This insures there is a hard upper limit to the possible deltaIndexFees.
However, the constructor setup functionality of the CDP Manager allows for possible misconfiguration leading to excessive fee calculation. Line 53 sets the stakingRewardSplit without validating the values are within expected ranges.
Proof of Concept
Admin creates the CDPManager.sol contract incorrectly setting the fee to be larger than MAX_REWARD_SPLIT. Fees can then be accrued on the system as a whole until the issue is fixed.
Tools Used
Manual Review
Recommended Mitigation Steps
Recommend validating constuctor parameters to ensure values inserted reflect expected 'invariant' behaviour elsewhere in the system.
Lines of code
https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/CdpManager.sol#L774-L777 https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/CdpManager.sol#L53 https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/CdpManagerStorage.sol#L558
Vulnerability details
Impact
Invariants ensure system health. Function
setStakingRewardSplit()
ensures thatstakingRewardSplit <= MAX_REWARD_SPLIT
This insures there is a hard upper limit to the possibledeltaIndexFees
.However, the constructor setup functionality of the CDP Manager allows for possible misconfiguration leading to excessive fee calculation. Line 53 sets the
stakingRewardSplit
without validating the values are within expected ranges.Proof of Concept
Admin creates the CDPManager.sol contract incorrectly setting the fee to be larger than MAX_REWARD_SPLIT. Fees can then be accrued on the system as a whole until the issue is fixed.
Tools Used
Manual Review
Recommended Mitigation Steps
Recommend validating constuctor parameters to ensure values inserted reflect expected 'invariant' behaviour elsewhere in the system.
Assessed type
Invalid Validation