search

sherlock-audit / 2023-01-uxd-judging

3 stars 1 forks source link

ak1 - Validate critical input parameters #442

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

ak1

medium

Validate critical input parameters

Summary

In the current UXD implementation, there are certain places the input parameters are used without validation.

Since they are very critical in nature when we look at the places, I would like to flag them as medium.

Vulnerability Detail

Following places lacks the input validation checks. if they are missed, it would bring unexpected results.

UXPToken.sol#L21-L25 - minting of tokens takes place to custodian address

constructor(address custodian, uint256 initialTotalSupply, address lzEndpoint) OFT("UXD Governance Token", "UXP", lzEndpoint) ERC20Permit("UXP") {
    if (initialTotalSupply != 0) {
        _mint(custodian, initialTotalSupply);
    }
}

RageDnDepository.sol - softCap should be > 0. 

function setRedeemableSoftCap(uint256 softCap) external onlyOwner {
    redeemableSoftCap = softCap;
    emit RedeemableSoftCapUpdated(msg.sender, softCap);
}

When the Perp has this check by considering the level of importance, Rage is missing.

Below is the Perp implementation :

function setRedeemableSoftCap(uint256 softCap) external onlyOwner {
    if (softCap == 0) {
        revert ZeroAmount();
    }
    redeemableSoftCap = softCap;

    emit RedeemableSoftCapUpdated(msg.sender, softCap);
}

Impact

  1. UXP could be minted to invalid address.
  2. zero soft cap would help to mint more number of UXP token.

Code Snippet

https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/rage-trade/RageDnDepository.sol#L90-L94

Tool used

Manual Review

Recommendation

Validate the critical input parameters.