Submission Details
Impact:
Likelihood:
Extreme Fee Setting Without Bounds
Description
The `ChangeFee` function lacks bounds validation, allowing the owner to set economically destructive fee percentages up to 16,777,215%. This could completely disable the protocol's swap functionality and undermine the entire economic model.
function ChangeFee(bool _isBuyFee, uint24 _buyFee, bool _isSellFee, uint24 _sellFee) external onlyOwner {
@> if(_isBuyFee) buyFee = _buyFee; // No validation
@> if(_isSellFee) sellFee = _sellFee; // No validation
}
Risk
Impact:
-
Owner can set 100%+ fees, blocking all swaps
-
Economic denial of service
-
Potential abuse if owner keys are compromised
Proof of Concept
Add the following to `RebateFiHookTest.t.sol`
function test_OwnerCanSetExtremeFees() public {
// Owner can set fees to 1,000,000% (1000x)
rebateHook.ChangeFee(true, 1000000, true, 1000000);
(uint24 buyFee, uint24 sellFee) = rebateHook.getFeeConfig();
assertEq(buyFee, 1000000); // 1000% fee
assertEq(sellFee, 1000000); // 1000% fee
}
function test_OwnerCanSet100PercentFee() public {
rebateHook.ChangeFee(false, 0, true, 100000); // 100% sell fee
(uint24 buyFee, uint24 sellFee) = rebateHook.getFeeConfig();
assertEq(sellFee, 100000); // Effectively blocks selling
}
Recommended Mitigation
function ChangeFee(bool _isBuyFee, uint24 _buyFee, bool _isSellFee, uint24 _sellFee) external onlyOwner {
if(_isBuyFee) {
+ require(_buyFee <= 100000, "Buy fee cannot exceed 100%");
buyFee = _buyFee;
}
if(_isSellFee) {
+ require(_sellFee <= 100000, "Sell fee cannot exceed 100%");
sellFee = _sellFee;
}
}
Rewards breakdown
nSLOC
150This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.