QA Report

[code423n4]

Title : Missing input validation for values which should not be greater than 1

Impact

Various contracts allow update to some config or parameter values which should be never greater than 1.
The input validation for such a check is missing during these update functions.
In the event such values of greater than 1 are accepted, then it may result in unpredictable behavior or panic.

Proof of Concept

Listed below some of these which should be checked.
#1
Config : max_borrow_factor
Contract : money-market-contracts/contracts/market/src/contract.rs
Function : pub fn update_config(...)
Line 321 :

    if let Some(max_borrow_factor) = max_borrow_factor {
        config.max_borrow_factor = max_borrow_factor;
    }

#2
Config : base_rate
Contract : money-market-contracts/contracts/interest_model/src/contract.rs
Function : pub fn update_config(...)
Line 74 :

    if let Some(base_rate) = base_rate {
        config.base_rate = base_rate;
    }

#3
Config : interest_multiplier
Contract : money-market-contracts/contracts/interest_model/src/contract.rs
Function : pub fn update_config(...)
Line 78 :

    if let Some(interest_multiplier) = interest_multiplier {
        config.interest_multiplier = interest_multiplier;
    }

Recommended Mitigation Steps

Its recommended to add a check that the values for these configs are not more than 1.