search

sherlock-audit / 2023-12-avail-judging

4 stars 4 forks source link

Udsen - THERE IS NO MAXIMUM UPPERBOUND RESTRICTION FOR THE `feePerByte` VALUE WHEN IT IS BEING SET #132

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

Udsen

medium

THERE IS NO MAXIMUM UPPERBOUND RESTRICTION FOR THE feePerByte VALUE WHEN IT IS BEING SET

Summary

There is no restriction on the maximum value that the newFeePerByte value can have when setting the feePerByte value in the AvailBridge.updateFeePerByte function. Thus putting the users at an disadvantage.

Vulnerability Detail

The AvailBridge.updateFeePerByte function is used to update the New fee per byte value as shown below:

    function updateFeePerByte(uint256 newFeePerByte) external onlyRole(DEFAULT_ADMIN_ROLE) {
        feePerByte = newFeePerByte; //@audit-issue - no input validation check
    }

But the issue here is that there is no maximum value restriction on hte newFeePerByte value that can be set.

Impact

Hence if the newFeePerByte is set to an extremely large value most of the average users will not be able to use the AvailBridge to send messages to the Avail chain. Hence number of the users of the protocol will be limited.

Code Snippet

    function updateFeePerByte(uint256 newFeePerByte) external onlyRole(DEFAULT_ADMIN_ROLE) {
        feePerByte = newFeePerByte;
    }

https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L153-L155

Tool used

VSCode and Manual Review

Recommendation

Hence it is recommneded to set the maximum upper bound value for the feePerByte value.

sherlock-admin commented 8 months ago

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Invalid. Admin is trusted

takarez commented:

invalid because { invalid: admin function}