XO-updateUtilizationCurve function does not check if the newUtilizationCurve is actually a valid JumpRateUtilizationCurve.
Summary
The vulnerability pertains to the updateUtilizationCurvefunction. The issue lies in the absence of a validation check for the newUtilizationCurve parameter, which represents a JumpRateUtilizationCurve. This omission allows an attacker to craft a malicious JumpRateUtilizationCurve with invalid values for the minRate,maxRate, or targetRateproperties. By invoking the updateUtilizationCurve function with this malevolent curve, the attacker can trigger a contract revert.
There is a vulnerability in the updateUtilizationCurve function. The problem with is that there is a line in the function it does not check if the newUtilizationCurve is actually a valid JumpRateUtilizationCurve. This means that an attacker could create a malicious JumpRateUtilizationCurve that has invalid values for the minRate,maxRate, or targetRate properties. If the attacker were able to do this, they could then call the updateUtilizationCurve function and cause the contract to revert.
Impact
An attacker could create a malicious JumpRateUtilizationCurve that has invalid values for the minRate,maxRate, or targetRate properties. If the attacker were able to do this, they could then call the updateUtilizationCurve function and cause the contract to revert.
added require(newUtilizationCurve.isValid()); to the function, to check if the newUtilizationCurve is actually a valid JumpRateUtilizationCurve. If it is not, the function will revert.
XDZIBEC
high
XO-
updateUtilizationCurve
function does not check if thenewUtilizationCurve
is actually a validJumpRateUtilizationCurve
.Summary
updateUtilizationCurve
function. The issue lies in the absence of a validation check for thenewUtilizationCurve
parameter, which represents aJumpRateUtilizationCurve.
This omission allows an attacker to craft a maliciousJumpRateUtilizationCurve
with invalid values for theminRate,
maxRate,
ortargetRate
properties. By invoking theupdateUtilizationCurve
function with this malevolent curve, the attacker can trigger a contract revert.Vulnerability Detail
updateUtilizationCurve
function. The problem with is that there is a line in the function it does not check if thenewUtilizationCurve
is actually a validJumpRateUtilizationCurve.
This means that an attacker could create a maliciousJumpRateUtilizationCurve
that has invalid values for theminRate,
maxRate,
ortargetRate
properties. If the attacker were able to do this, they could then call theupdateUtilizationCurve
function and cause the contract to revert.Impact
JumpRateUtilizationCurve
that has invalid values for theminRate,
maxRate,
ortargetRate
properties. If the attacker were able to do this, they could then call theupdateUtilizationCurve
function and cause the contract to revert.Code Snippet
Tool used
Manual Review
Recommendation
require(newUtilizationCurve.isValid());
to the function, to check if thenewUtilizationCurve
is actually a validJumpRateUtilizationCurve.
If it is not, the function will revert.