search

sherlock-audit / 2023-07-kyber-swap-judging

12 stars 8 forks source link

JP_Courses - Factory::enableSwapFee() - L152: no zero amount check for `swapFeeUnits`. #110

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

JP_Courses

medium

Factory::enableSwapFee() - L152: no zero amount check for swapFeeUnits.

Summary

Factory::enableSwapFee() - L152: no zero amount check for swapFeeUnits.

Vulnerability Detail

https://github.com/sherlock-audit/2023-07-kyber-swap/blob/main/ks-elastic-sc/contracts/Factory.sol#L152-L164

Currently it is totally possible to assign zero value to swapFeeUnits successfully via the enableSwapFee() functions. It will pass the require checks. Unless it is intended functionality(which I doubt), meaning that it should be possible/acceptable to set swapFeeUnits = 0, there should be a check to ensure zero value cannot be assigned to swapFeeUnits.

Impact

At least no swap fees, possibly impacting other areas of protocol.

Code Snippet

https://github.com/sherlock-audit/2023-07-kyber-swap/blob/main/ks-elastic-sc/contracts/Factory.sol#L152-L164

Tool used

VSC. Manual Review

Recommendation

There should be a check to ensure zero value cannot be assigned to swapFeeUnits: Add the following above L157:

require(swapFeeUnits != 0, 'zero units');
sherlock-admin commented 1 year ago

1 comment(s) were left on this issue during the judging contest.

Trumpero commented:

invalid, this function used to config the mapping feeAmountTickDistance to set the value tickDistance corresponding to each value of fee