search

sherlock-audit / 2022-10-illuminate-judging

3 stars 0 forks source link

rvierdiiev - Redeemer.setFee function will always revert #34

Open sherlock-admin opened 1 year ago

sherlock-admin commented 1 year ago

rvierdiiev

medium

Redeemer.setFee function will always revert

Summary

Redeemer.setFee function will always revert and will not give ability to change feenominator.

Vulnerability Detail

Redeemer.setFee function is designed to give ability to change feenominator variable.

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L168-L187

    function setFee(uint256 f) external authorized(admin) returns (bool) {
        uint256 feeTime = feeChange;
        if (feeTime == 0) {
            revert Exception(23, 0, 0, address(0), address(0));
        } else if (feeTime < block.timestamp) {
            revert Exception(
                24,
                block.timestamp,
                feeTime,
                address(0),
                address(0)
            );
        } else if (f < MIN_FEENOMINATOR) {
            revert Exception(25, 0, 0, address(0), address(0));
        }
        feenominator = f;
        delete feeChange;
        emit SetFee(f);
        return true;
    }

As feeChange value is 0(it's not set anywhere), this function will always revert wtih Exception(23, 0, 0, address(0), address(0)). Also even if feeChange was not 0, the function will give ability to change fee only once, because in the end it calls delete feeChange which changes it to 0 again.

Impact

Fee can't be changed.

Code Snippet

Provided above.

Tool used

Manual Review

Recommendation

Add same functions as in Lender. https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L813-L829;

JTraversa commented 1 year ago
  1. Agree with Kenzo's escalation
  2. I suppose I might downgrade to low given no funds are at risk (although the function is clearly not functioning as intended)
IAm0x52 commented 1 year ago

Escalate for 1 USDC

Reminder @Evert0x

sherlock-admin commented 1 year ago

Escalate for 1 USDC

Reminder @Evert0x

You've created a valid escalation for 1 USDC!

To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

sourabhmarathe commented 1 year ago

https://github.com/Swivel-Finance/illumigrate/pull/242