0xmuxyz - Lack of a validation to check whether or not the total percent allocations in the `sortedPercentAllocations` array would be `100%`, which lead to that the percent allocations would be wrongly set #88
Lack of a validation to check whether or not the total percent allocations in the sortedPercentAllocations array would be 100%, which lead to that the percent allocations would be wrongly set
Summary
Lack of a validation to check whether or not the total percent allocations in the sortedPercentAllocations array would be 100%, which lead to that the percent allocations would be wrongly set.
For example, the total percent allocations would be more than 100% or less than 100%.
On the assumption that, total percent allocations are supposed to be 100%.
However, through the process of the percent allocation from the DiversifierFactory#createDiversifier() to the LibRecipients#_unpack() above, there is no validation to check whether or not the total percentage allocations would be 100%.
Impact
This lead to that the percent allocations would be wrongly set.
For example, the total percent allocations would be more than 100% or less than 100%.
Within the DiversifierFactory#createDiversifier(), consider adding a validation to check whether or not the total percent allocations in the sortedPercentAllocations array would be 100% like this:
(NOTE:In the example code below, the percent would be assumed in Basis Point)
function createDiversifier(CreateDiversifierParams calldata params_) external returns (address diversifier) {
// create pass-through wallet w {this} as owner & no passThrough
PassThroughWalletImpl passThroughWallet = passThroughWalletFactory.createPassThroughWallet(
PassThroughWalletImpl.InitParams({owner: address(this), paused: params_.paused, passThrough: ADDRESS_ZERO})
);
diversifier = address(passThroughWallet);
// parse oracle params for swapper-recipients
OracleImpl oracle = _parseOracleParams(diversifier, params_.oracleParams);
// create split w diversifier (pass-through wallet) as controller
(address[] memory sortedAccounts, uint32[] memory sortedPercentAllocations) =
_parseRecipientParams(diversifier, oracle, params_.recipientParams);
+ uint32 totalPercentAllocations;
+ for (uint i=0; i < sortedPercentAllocations.length) {
+ totalPercentAllocations += sortedPercentAllocations[i];
+ }
+ require(totalPercentAllocations == 100_00, "Total percent allocations must be equal to 100%") /// @dev - NOTE: The percent would be assumed in Basis Point (BPS)
address passThroughSplit = splitMain.createSplit({
accounts: sortedAccounts,
percentAllocations: sortedPercentAllocations,
distributorFee: 0,
controller: diversifier
});
0xmuxyz
medium
Lack of a validation to check whether or not the total percent allocations in the
sortedPercentAllocations
array would be100%
, which lead to that the percent allocations would be wrongly setSummary
Lack of a validation to check whether or not the total percent allocations in the
sortedPercentAllocations
array would be100%
, which lead to that the percent allocations would be wrongly set. For example, the total percent allocations would be more than 100% or less than 100%.Vulnerability Detail
Within the DiversifierFactory, the
RecipientParams
struct, thepercentAllocation
would be defined like this: https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-diversifier/src/DiversifierFactory.sol#L40Within the DiversifierFactory#
createDiversifier()
, thesortedPercentAllocations
would be returned from the DiversifierFactory#_parseRecipientParams()
and then it would be assigned into thepercentAllocations
property like this: https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-diversifier/src/DiversifierFactory.sol#L77-L78Within the DiversifierFactory#
_parseRecipientParams()
that is called above, the LibRecipients#_pack()
would be used for calculating the percent allocation of each recipient and then the info including the calculated-percent allocations would be returned via the LibRecipients#_unpackAccountsInPlace()
like this: https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-diversifier/src/DiversifierFactory.sol#L124Within the LibRecipients#
_pack()
, thepercentAllocation_
would be wrapped like this: https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-utils/src/LibRecipients.sol#L129-L131Within the LibRecipients#
_unpackAccountsInPlace()
, the LibRecipients#_unpack()
would be called and then thepercentAllocations
array would be returned like this: https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-utils/src/LibRecipients.sol#L88-L99Within the LibRecipients#
_unpack()
, thepercentAllocation
would be unwrapped and returned like this: https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-utils/src/LibRecipients.sol#L139On the assumption that, total percent allocations are supposed to be 100%.
However, through the process of the percent allocation from the DiversifierFactory#
createDiversifier()
to the LibRecipients#_unpack()
above, there is no validation to check whether or not the total percentage allocations would be 100%.Impact
This lead to that the percent allocations would be wrongly set. For example, the total percent allocations would be more than 100% or less than 100%.
Code Snippet
Tool used
Manual Review
Recommendation
Within the DiversifierFactory#
createDiversifier()
, consider adding a validation to check whether or not the total percent allocations in thesortedPercentAllocations
array would be100%
like this: (NOTE:In the example code below, the percent would be assumed in Basis Point)