stake.link

Summary

The SDLPoolCCIPController contract contains a vulnerability in the setMaxLINKFee function, where input validation is lacking. This absence of validation allows the contract owner to set an unreasonably high maximum LINK fee without constraints.

Vulnerability Details

The setMaxLINKFee function in the SDLPoolCCIPController contract lacks input validation to ensure that the provided maximum LINK fee is reasonable and does not exceed certain limits. The absence of such validation may allow an excessively high fee to be set, leading to unexpected behavior or potential misuse.

The setMaxLINKFee function allows the contract owner to set the maximum LINK fee without verifying whether the provided value is within reasonable bounds.

Impact

The impact of this vulnerability is that an attacker or even the contract owner could set an unreasonably high maximum LINK fee, which might have adverse effects on the intended functionality of the contract. This could lead to potential misuse or unexpected financial consequences, impacting the overall stability and reliability of the SDLPoolCCIPController contract.

Tools Used

Manual

Recommendations

Implement input validation in the setMaxLINKFee function to ensure that the provided maximum LINK fee is within reasonable bounds.

The require statement to check that the provided maximum LINK fee is within a reasonable range (e.g., MAX_REASONABLE_LINK_FEE), the contract prevents the setting of excessively high fees, mitigating the risk of unexpected behavior or misuse. Adjust the MAX_REASONABLE_LINK_FEE constant based on the specific requirements and constraints of the system.

Mitigation Step