search

sherlock-audit / 2024-03-flat-money-fix-review-contest-judging

3 stars 2 forks source link

Dudex_2004 - Precision Mismatch in `setLiquidationFeeRatio` and `setLiquidationBufferRatio` Functions. #4

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 4 months ago

Dudex_2004

medium

Precision Mismatch in setLiquidationFeeRatio and setLiquidationBufferRatio Functions.

Summary

See details.

Vulnerability Detail

In the LiquidationModule.sol contract the liquidation fee and buffer ratios (function setLiquidationFeeRatio and setLiquidationBufferRatio) are expected to have 18 decimals of precision. However ,the functions should ensure that the input values (_newLiquidationFeeRatio and _newLiquidationBufferRatio) are indeed given in this format.

If the provided values do not match the expected precision (e.g., if a owner inputs a value such as 0.002 instead of 2e15), then the contract may be set to use incorrect or unintended ratios.

Impact

Values can be set incorrectly.

Code Snippet

https://github.com/sherlock-audit/2024-03-flat-money-fix-review-contest/blob/main/flatcoin-v1/src/LiquidationModule.sol#L31C1-L39C1 https://github.com/sherlock-audit/2024-03-flat-money-fix-review-contest/blob/main/flatcoin-v1/src/LiquidationModule.sol#L283C1-L298C1

Tool used

Manual Review

Recommendation

provide input values have the expected precision of 18 decimals.

sherlock-admin3 commented 4 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

POC?

0xflare2684 commented 4 months ago

escalate hey may i know that why it got invalid ?

sherlock-admin2 commented 4 months ago

escalate hey may i know that why it got invalid ?

The escalation could not be created because you are not exceeding the escalation threshold.

You can view the required number of additional valid issues/judging contest payouts in your Profile page, in the Sherlock webapp.

0xflare2684 commented 4 months ago

@sherlock-admin3 why this issue got invalid ?

santipu03 commented 4 months ago

It's in the Sherlock docs:

Admin Input/call validation: Protocol admin is considered to be trusted in most cases, hence issues where

  1. Admin incorrectly enters an input parameter. Example: Make sure interestPerMin > 1 ether as it is an important parameter. This is not a valid issue.