The referenced percentages are ultimately utilized in an AssetManager::_getPortionOfBid call and thus should always be at most 100_00, however, this is not guaranteed in the codebase.
Impact:
It is presently possible to configure percentage values that would cause the code to fail as well as percentage values that could capture the full value of a sale, both of which are undesirable behaviours.
Example:
// Function to set the default royalty percentage.
function setDefaultRoyalty(uint96 _defaultRoyalty) external onlyOwner {
defaultRoyalty = _defaultRoyalty;
}
Recommendation:
We advise them to be sanitized during their configuration as less-than-or-equal-to their maximum permitted value, 100_00, at minimum and as a best practice to be restricted up to a value defined as their maximum by the Salvor team.
AMR-05M: Inexistent Validation of Percentages
Description:
The referenced percentages are ultimately utilized in an
AssetManager::_getPortionOfBid
call and thus should always be at most100_00
, however, this is not guaranteed in the codebase.Impact:
It is presently possible to configure percentage values that would cause the code to fail as well as percentage values that could capture the full value of a sale, both of which are undesirable behaviours.
Example:
Recommendation:
We advise them to be sanitized during their configuration as less-than-or-equal-to their maximum permitted value,
100_00
, at minimum and as a best practice to be restricted up to a value defined as their maximum by the Salvor team.