search

code-423n4 / 2024-07-basin-validation

0 stars 0 forks source link

Lack of Input Sanitization in Stable2LUT1.sol #82

Closed c4-bot-9 closed 3 months ago

c4-bot-9 commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-07-basin/blob/main/src/functions/StableLUT/Stable2LUT1.sol#L27

Vulnerability details

Impact

The getRatiosFromPriceLiquidity and getRatiosFromPriceSwap functions do not have any checks to ensure that the input provided is valid.

This could lead to unexpected behaviour if an invalid value is passed as an argument to the function.

Moreover, the use of nested if-else conditions for price ranges is not the most efficient way for price level determination and makes the code harder to read and maintain.

Proof of Concept

Example

function getRatiosFromPriceLiquidity(uint256 price) external pure returns (PriceData memory) 
{
  if (price < 1.006758e6) 
  {
    // ...
  } 
  // ...
}

Tools Used

Manual Review

Recommended Mitigation Steps

Instead of nested conditions, it could be more optimal to use a divide and conquer approach, or binary search if the price levels are sorted.

Also, adding require statements to validate the input can help prevent unintended behavior. For example, ensure the price is within a range of acceptable values.

Furthermore, consider refactoring the code to avoid deeply nested conditional statements to enhance readability and maintainability. Dividing sections of code into separate functions would make it easier to follow the logic and would allow for better usage, testing, and code modification.

Assessed type

Math

nevillehuang commented 3 months ago

Likely Invalid, the protocol seems to be designed this way as noted here, this is likely only suggesting an improvement, not a security vulnerability