Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In init() it is not checked if the fees are in the accepted range #76

Open
hats-bug-reporter bot opened this issue Jun 30, 2024 · 1 comment
Open

In init() it is not checked if the fees are in the accepted range #76

hats-bug-reporter bot opened this issue Jun 30, 2024 · 1 comment
Labels
bug Something isn't working invalid This doesn't seem right

Comments

@hats-bug-reporter
Copy link

Github username: --
Twitter username: --
Submission hash (on-chain): 0x95ab7ec3aa88b33a4b882ebdfc0724a2439bedd0ea7e3482af39762cdb92f1ad
Severity: low

Description:
Description
In init function the default fees values are set.

Later these fees can be updated with setEntryFee, setExitFee, setProtocolFee. Inside these functions, there is a check that ensures the fee value is not more than the max.

 if (exitFee > maxExitFeePercentage) {
            revert Errors.MultiVault_InvalidExitFee();
        }

There is no such check in the init function when setting the default fees.

Attack Scenario
Describe how the vulnerability can be exploited.

Attachments

  1. Proof of Concept (PoC) File
  1. Revised Code File (Optional)
+     uint256 maxFeePercentage = generalConfig.feeDenominator / 10;
+
+      if ( _defaultVaultFees.entryFee > maxFeePercentage) {
+            revert Errors.MultiVault_InvalidEntryFee();
+       }
+        
+        if (_defaultVaultFees.exitFee > maxFeePercentage) {
+            revert Errors.MultiVault_InvalidExitFee();
+        }
+
+        if ( _defaultVaultFees.protocolFee > maxFeePercentage) {
+            revert Errors.MultiVault_InvalidProtocolFee();
+        }

vaultFees[0] = VaultFees({
            // @audit not checked if the values are in the accepted range
            entryFee: _defaultVaultFees.entryFee,
            exitFee: _defaultVaultFees.exitFee,
            protocolFee: _defaultVaultFees.protocolFee
        });
@hats-bug-reporter hats-bug-reporter bot added the bug Something isn't working label Jun 30, 2024
@mihailo-maksa mihailo-maksa added the invalid This doesn't seem right label Jul 1, 2024
@mihailo-maksa
Copy link
Collaborator

The report suggests that the init function does not check if default fee values are within an acceptable range.

Label: invalid

Comment:
Our deployment script has the fees and other key deployment parameters hardcoded, making it unnecessary to check for their specific values as part of the init method. This design choice prioritizes both gas savings and simplicity.

Comment on the issue:
Our deployment script has the fees and other key deployment parameters hardcoded, making it unnecessary to check for their specific values in the init method. This design prioritizes gas savings and simplicity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mihailo-maksa