Skip to content

Latest commit

 

History

History
39 lines (32 loc) · 1.89 KB

086.md

File metadata and controls

39 lines (32 loc) · 1.89 KB

Overt Alabaster Cottonmouth

Medium

MAX_TOTAL_FEES for EthosVouch.sol is set to 100% instead of the expected 10%

Description

MAX_TOTAL_FEES is set to 100% inside EthosVouch.sol. However the audit page clearly states that:

For both contracts:

  • Maximum total fees cannot exceed 10%

Impact

Function checkFeeExceedsMaximum() which is internally called each time any fee value is changed, will allow the total fees to reach 100%:

  File: ethos/packages/contracts/contracts/EthosVouch.sol

   991:            /* @notice Checks if the new fee would cause the total fees to exceed the maximum allowed
   992:             * @dev This function is called before updating any fee to ensure the total doesn't exceed MAX_TOTAL_FEES
   993:             * @param currentFee The current value of the fee being updated
   994:             * @param newFee The proposed new value for the fee
   995:             */
   996:            function checkFeeExceedsMaximum(uint256 currentFee, uint256 newFee) internal view {
   997:              uint256 totalFees = entryProtocolFeeBasisPoints +
   998:                exitFeeBasisPoints +
   999:                entryDonationFeeBasisPoints +
   1000:                entryVouchersPoolFeeBasisPoints +
   1001:                newFee -
   1002:                currentFee;
   1003:@--->         if (totalFees > MAX_TOTAL_FEES) revert FeesExceedMaximum(totalFees, MAX_TOTAL_FEES);
   1004:            }

Mitigation

  File: ethos/packages/contracts/contracts/EthosVouch.sol

-   120:            uint256 public constant MAX_TOTAL_FEES = 10000;
+   120:            uint256 public constant MAX_TOTAL_FEES = 1000;