Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Constant Definitions

hackz

Summary

The constant MAX_FEE is defined using the UD60x18 type, which may not handle large decimal values correctly, potentially leading to unexpected behaviors in fee calculations.

Finding Description

The MAX_FEE constant is set as UD60x18.wrap(0.1e18), which represents a 10% fee. However, the behavior of the UD60x18 type in edge cases (e.g., exceeding maximum value, improper scaling) should be closely examined. If the wrapping function does not correctly handle the input or if the math operations involving this constant are improperly managed, it can lead to inaccurate fee calculations.

This vulnerability primarily breaks the security guarantee of consistent and predictable fee structures, leading to potential exploitation by malicious actors who may manipulate fee-related functions to gain an unfair advantage or exploit contract interactions.

If a malicious input is crafted such that it attempts to set fees exceeding MAX_FEE or manipulate related fee calculations, it could propagate through functions that rely on MAX_FEE for validations, potentially resulting in unauthorized fee collections or overflow errors.

Vulnerability Details

  • Location: The constant definition is located at:

    UD60x18 public constant override MAX_FEE = UD60x18.wrap(0.1e18);

  • Affected Functions: Any function that relies on MAX_FEE for validating or calculating fees could be affected, particularly setProtocolFee.

Impact

This issue is assessed as medium severity because while it does not directly allow for immediate exploitation or fund loss, it poses a risk to the integrity of fee management within the contract. If users or the protocol cannot trust the fee calculations, it could result in significant financial implications and reputational damage for the contract and its associated projects.

Proof of Concept

To demonstrate the issue, consider a scenario where a malicious actor calls the setProtocolFee function with a fee greater than MAX_FEE:

contract MaliciousContract {
SablierFlowBase sablier;
function exploit() external {
// Assuming `sablier` is initialized and points to the SablierFlowBase contract
// Attempt to set a protocol fee greater than MAX_FEE
sablier.setProtocolFee(token, UD60x18.wrap(0.2e18)); // 20% fee
}
}

If the check for MAX_FEE is flawed, the contract may allow this malicious action, undermining the intended fee cap.

Recommendations

To mitigate this issue, ensure that the MAX_FEE constant is validated correctly and that all functions interacting with fees are safeguarded against invalid inputs. Here are some recommendations:

  1. Validation Checks: Implement comprehensive checks in the setProtocolFee function to ensure that any new fee does not exceed MAX_FEE before allowing state changes.

  2. Update Constant: If necessary, revise how the MAX_FEE constant is defined to ensure it aligns with expected behavior for all input scenarios.

  3. Code Snippet for Validation:

    function setProtocolFee(IERC20 token, UD60x18 newProtocolFee) external override onlyAdmin {
    // Ensure that the new protocol fee does not exceed MAX_FEE
    require(newProtocolFee <= MAX_FEE, "Protocol fee exceeds maximum allowed.");
    // Existing logic...
    }

By implementing these recommendations, the contract can ensure that it maintains consistent and predictable behavior concerning fee management.

File Location

  • SablierFlowBase.sol

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.