Storage Proofs

Curve

DeFiLayer 1Layer 2

14,723 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing StableSwap Fee Check in `set_max_price_increment`

bhorprakash

Summary

No Comparison of `_max_price_increment` to StableSwap Fee

The function set_max_price_increment lacks a necessary validation step to ensure that the provided _max_price_increment remains below the StableSwap minimum fee. This could potentially allow unsafe configurations that might impact price stability.

Description

Affected Function:

@external

def set_max_price_increment(_max_price_increment: uint256):

"""

@notice Set maximum price increment of scrvUSD.

@=> Must be less than StableSwap's minimum fee.

fee / (2 * block_time) is considered to be safe.

@param _max_price_increment Maximum acceleration (per sec)

"""

access_control._check_role(access_control.DEFAULT_ADMIN_ROLE, msg.sender)

# @audit-issue No comparison of `_max_price_increment` to StableSwap fee...

# Comment suggests it should be less than that, but check is missing

assert 10**8 <= _max_price_increment and _max_price_increment <= 10**18

self.max_price_increment = _max_price_increment

log SetMaxPriceIncrement(_max_price_increment)

The function documentation clearly states that _max_price_increment must be less than StableSwap's minimum fee.
However, the function does not actually check the StableSwap fee before assigning the value.
This could result in setting a _max_price_increment that is higher than expected, leading to unintended price movement.

Impact

Potential Market Instability: If _max_price_increment is set too high, it could cause excessive price volatility.
Deviation from Intended Behavior: The contract claims to enforce a relationship with StableSwap's minimum fee, but it does not.
Risk of Misconfiguration: Admins might unintentionally set an invalid _max_price_increment, impacting the pricing mechanism.

Recommendation

Modify the function to include an explicit check against the StableSwap fee:
Ensure that _max_price_increment is validated against a reference fee stored in the contract or fetched externally from the StableSwap contract.

Updates

Lead Judging Commences

0xnevi Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] finding-max-price-increment-check-fee

- Explicitly stated in the docs, so it is presumed that the DAO owning the DEFAULT_ADMIN_ROLE role will not make such a mistake - See [here](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid), where admin input errors can be considered as invalid

Prize pool breakdown

Total prize

14,723 OP

Eagles

1,472 OP

nSLOC

394

37 OP / LOC

High Medium

12,700

Low

551

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.