XO-updateUtilizationCurve function does not check if the newUtilizationCurve is actually a valid JumpRateUtilizationCurve.
Summary
The vulnerability pertains to the updateUtilizationCurvefunction. The issue lies in the absence of a validation check for the newUtilizationCurve parameter, which represents a JumpRateUtilizationCurve. This omission allows an attacker to craft a malicious JumpRateUtilizationCurve with invalid values for the minRate,maxRate, or targetRateproperties. By invoking the updateUtilizationCurve function with this malevolent curve, the attacker can trigger a contract revert.
There is a vulnerability in the updateUtilizationCurve function. The problem with is that there is a line in the function it does not check if the newUtilizationCurve is actually a valid JumpRateUtilizationCurve. This means that an attacker could create a malicious JumpRateUtilizationCurve that has invalid values for the minRate,maxRate, or targetRate properties. If the attacker were able to do this, they could then call the updateUtilizationCurve function and cause the contract to revert.
Impact
An attacker could create a malicious JumpRateUtilizationCurve that has invalid values for the minRate,maxRate, or targetRate properties. If the attacker were able to do this, they could then call the updateUtilizationCurve function and cause the contract to revert.
added require(newUtilizationCurve.isValid()); to the function, to check if the newUtilizationCurve is actually a valid JumpRateUtilizationCurve. If it is not, the function will revert.
XDZIBEC
high
XO-
updateUtilizationCurvefunction does not check if thenewUtilizationCurveis actually a validJumpRateUtilizationCurve.Summary
updateUtilizationCurvefunction. The issue lies in the absence of a validation check for thenewUtilizationCurveparameter, which represents aJumpRateUtilizationCurve.This omission allows an attacker to craft a maliciousJumpRateUtilizationCurvewith invalid values for theminRate,maxRate,ortargetRateproperties. By invoking theupdateUtilizationCurvefunction with this malevolent curve, the attacker can trigger a contract revert.Vulnerability Detail
updateUtilizationCurvefunction. The problem with is that there is a line in the function it does not check if thenewUtilizationCurveis actually a validJumpRateUtilizationCurve.This means that an attacker could create a maliciousJumpRateUtilizationCurvethat has invalid values for theminRate,maxRate,ortargetRateproperties. If the attacker were able to do this, they could then call theupdateUtilizationCurvefunction and cause the contract to revert.Impact
JumpRateUtilizationCurvethat has invalid values for theminRate,maxRate,ortargetRateproperties. If the attacker were able to do this, they could then call theupdateUtilizationCurvefunction and cause the contract to revert.Code Snippet
Tool used
Manual Review
Recommendation
require(newUtilizationCurve.isValid());to the function, to check if thenewUtilizationCurveis actually a validJumpRateUtilizationCurve.If it is not, the function will revert.