Missing Bound Check
Summary
In the contract SmartVaultManagerV5, the functions setMintFeeRate(), setBurnFeeRate and setSwapFeeRate() do not have any check to make sure the provided rates are between reasonable values.
Vulnerability Details
By defining upper and lower limits to certain settings adjustable by the owner of a system, the users gain more trust and verifiability for such parameters. Currently, the owner of the a SmartVaultManagerV5 contract can set all fees to any value a uint156 can take.
Similar findings from other contests/audits:
https://solodit.xyz/issues/missing-boundary-checks-on-feebps-spearbit-seadrop-pdf
https://solodit.xyz/issues/missing-upperlower-bound-checks-halborn-gammaswap-labs-core-strategies-and-periphery-pdf
https://solodit.xyz/issues/l-04-percentage-setter-should-be-bounded-pashov-none-ipnft-markdown
https://solodit.xyz/issues/missing-upper-bound-definition-on-the-max-entries-halborn-none-a41-supernova-cosmos-pdf
Impact
The owner could, intentionally or not, set the some of the indicated fees to unreasonable values affecting the reliability and functionality of the system.
Tools Used
Manual analysis.
Recommendations
Consider adding an upper and lower limit to the highlighted functions.
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.