The function set_max_price_increment includes a documentation note stating:
“The new value must be less than the StableSwap’s minimum fee.
fee / (2 * block_time) is considered to be safe.”
However, this constraint is not enforced in the code, meaning _max_price_increment can be set higher than the StableSwap’s minimum fee without restriction.
In the ScrUsdOracleV2.vy::set_max_price_increment
function documentation, it explicitly states:
Must be less than StableSwap’s minimum fee. fee / (2 * block_time) is considered to be safe
However, the actual implementation does not enforce this constraint, meaning the value can be set without verifying it against StableSwap’s minimum fee.
• Admins may inadvertently set the max_price_increment above the safe threshold.
• Potential confusion or misconfiguration, leading to unexpected behavior or price instability.
Manual audit
• Implement an explicit check in the code enforcing that the _max_price_increment provided is less than the current StableSwap minimum fee divided by (2 * block_time) to match the documented specification.
- Explicitly stated in the docs, so it is presumed that the DAO owning the DEFAULT_ADMIN_ROLE role will not make such a mistake - See [here](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid), where admin input errors can be considered as invalid
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.