search

code-423n4 / 2024-03-abracadabra-money-findings

9 stars 7 forks source link

Missing upper limit in setfee ( centralization risk ) #188

Closed c4-bot-7 closed 8 months ago

c4-bot-7 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-03-abracadabra-money/blob/1f4693fdbf33e9ad28132643e2d6f7635834c6c6/src/blast/BlastOnboarding.sol#L147

Vulnerability details

Impact

setFeeto allow the owner to see feeRate to any value,

(setFeeTo) allows the owner to set the fee for a service without any restrictions. This presents a vulnerability as there's no maximum limit, enabling the owner to potentially raise fees to unreasonable levels. Owner can set feeRate to 100% to rug user

Proof of Concept

https://github.com/code-423n4/2024-03-abracadabra-money/blob/1f4693fdbf33e9ad28132643e2d6f7635834c6c6/src/blast/BlastOnboarding.sol#L147C4-L153C38

function setFeeTo(address feeTo_) external onlyOwner {
    if (feeTo_ == address(0)) {
        revert ErrZeroAddress();
    }

    feeTo = feeTo_;
    emit LogFeeToChanged(feeTo_);

Tools Used

Recommended Mitigation Steps

Consider introducing an upper limit for fees so users can know the maximum fess available in protocol

Assessed type

Rug-Pull

0xm3rlin commented 8 months ago

no factor

c4-pre-sort commented 8 months ago

141345 marked the issue as duplicate of #60

c4-judge commented 8 months ago

thereksfour changed the severity to QA (Quality Assurance)

c4-judge commented 8 months ago

thereksfour marked the issue as grade-c