Open obheda12 opened 1 year ago
Within the VyToken contract, fee setter functions are not checking for arbitrarily high fees. In the event that the fee specified is 100% of the amount or larger, there exists reputation risk as a malicious authority can change this within 1 block.
VYToken.sol 65: function setFlashFeeFactor(uint256 flashFeeFactor_) external auth { flashFeeFactor = flashFeeFactor_; emit FlashFeeFactorSet(flashFeeFactor_); }
Ensure that there is proper validation for the maximum amount one can set the fee to. Below is an example of possible remediated code:
.,function setFlashFeeFactor(uint256 flashFeeFactor_) external auth { + require(flashFeeFactor_ <= 1, "..."); flashFeeFactor = flashFeeFactor_; emit FlashFeeFactorSet(flashFeeFactor_); }
Considering our mature governance proposal we don't see this as a risk. Read more about the methodology here
iamsahu
commented
1 year ago
Description
Within the VyToken contract, fee setter functions are not checking for arbitrarily high fees. In the event that the fee specified is 100% of the amount or larger, there exists reputation risk as a malicious authority can change this within 1 block.
PoC
Recommendations
Ensure that there is proper validation for the maximum amount one can set the fee to. Below is an example of possible remediated code: