c4-pre-sort
commented
5 months ago 0xSorryNotSorry marked the issue as sufficient quality report
Closed c4-bot-3 closed 4 months ago
c4-pre-sort
commented
5 months ago 0xSorryNotSorry marked the issue as sufficient quality report
c4-pre-sort
commented
5 months ago 0xSorryNotSorry marked the issue as primary issue
c4-sponsor
commented
5 months ago eswak (sponsor) acknowledged
c4-sponsor
commented
5 months ago eswak marked the issue as disagree with severity
eswak
commented
5 months ago I believe SDAI_CREDIT_HARDCAP is an unused variable that should be removed, thanks for pointing out.
c4-judge
commented
5 months ago Trumpero changed the severity to QA (Quality Assurance)
c4-judge
commented
5 months ago Trumpero marked the issue as grade-b
c4-judge
commented
4 months ago Trumpero marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/test/proposals/gips/GIP_0.sol#L308
Vulnerability details
Impact
In the deployment script, the constant
SDAI_CREDIT_HARDCAPis intended to be used to set the hardcap for SDAI credit in theLendingTermParamsstruct. However, another constantCREDIT_HARDCAPis being used instead. While these two values are the same and hence this mistake has no effect, it could lead to incorrect behavior of the contract if either of the two values is modified in this or future deployments.Proof of Concept
In the
GIP_0.solfile, the constantSDAI_CREDIT_HARDCAPis declared but not used. Instead, the constantCREDIT_HARDCAPis used in theLendingTermParamsfunction to set the hardcap for SDAI credit.https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/test/proposals/gips/GIP_0.sol#L308
Tools Used
Manual review
Recommended Mitigation Steps
Replace the usage of
CREDIT_HARDCAPwithSDAI_CREDIT_HARDCAPin theLendingTermParamsfunction to ensure the correct hardcap is set for SDAI credit. This will prevent any unintended consequences of modifying theCREDIT_HARDCAPorSDAI_CREDIT_HARDCAPconstants.Assessed type
Other