Discrepancy between `SystemConfig` and `SystemConfigStorage` fee rates with no validation could lead to misconfiguration
Summary
The SystemConfig contract specifies a base platform fee rate of 0.5%, which aligns with the platform documentation. In contrast, the SystemConfigStorage contract mentions a fee rate of 0.05%. This discrepancy highlights a critical issue: the SystemConfig contract lacks validation for the base platform fee rate. As a result, administrators might set incorrect values due to human error, leading to potential misconfigurations and financial discrepancies. Without validation to ensure that fee rates are consistent and within expected ranges, there is an increased risk of incorrect fee settings, which could result in user confusion and financial losses.
Vulnerability Details
SystemConfig Contract:
In the inline docs specifies the base platform fee rate as 0.5%, which matches the expected value and is aligned with the platform documentation.
SystemConfigStorage Contract:
States a default base platform fee rate of 0.05%. This discrepancy from the 0.5% rate mentioned in the
SystemConfigcontract and docs indicates potential for misconfiguration:
Lack of Validation
The primary issue is the lack of validation within the SystemConfig::initialize function for the fee rates being set. As we saw from the examples above human-erros happen. And the absence of validation means:
Error-Prone Settings: Administrators might set incorrect values for the fee rates without being alerted to discrepancies.
Potential for Financial Discrepancies: Misconfigured fee rates can result in users being charged incorrect amounts, leading to potential financial losses for them. On the other hand if fee rates are set lower than expected, the platform could receive less revenue than anticipated, resulting in financial losses for it.
Impact
-
Financial Losses: Incorrect fee rates due to configuration errors can lead to financial losses. For example, if the platform charges more or less than intended, it could affect the platform’s revenue or user funds.
-
Increased Risk of Errors: The lack of validation allows for easy misconfiguration and discrepancies, increasing the likelihood of financial inaccuracies and system issues.
Tools Used
VSCode
Recommendations
Add validation logic in the SystemConfig contract to ensure that fee rates are within expected ranges and match documented values. For example:
Lead Judging Commences
[invalid] finding-Admin-Errors-Malicious
The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.