Unconstrained Fees #76
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-377
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Trading.sol#L952-L969
Vulnerability details
Impact
An admin may set unconstrained fees for opening and closing trades in the
Trading.sol
smart contract, in thesetFees
function.An admin mistakenly (or deliberately, maliciously) might add a fee that is very large, which will lead to users loosing money using the trading platform, also the admin might set a fee higher than 100% which will make the trading contract unusable since transactions will be reverted.
Proof of Concept
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Trading.sol#L952-L969
Tools Used
Manual Review
Recommended Mitigation Steps
Add relevant checks and constrains before setting the fees, especially dao and burn fees.
The text was updated successfully, but these errors were encountered: