Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Alkimiya>Informational findings>Potential centralization risk from fee configuration
GeneralOverview
Findings
Critical (3)
High (1)
Medium (2)
Low (1)
Informational (2)The collateralizedMint function lacks the nonReentrant modifierPotential centralization risk from fee configuration
DiscussionThe sBountyGracePeriod has no limit
Threat ModelWhat are threat models?BTCFeeIndex.solSilicaPools.sol
Audit ResultsAssessment Results
Category: Business Logic

Potential centralization risk from fee configuration

Informational Severity
Informational Impact
N/A Likelihood

Description

The SilicaPools contract allows the owner to set the sMintFeeBps value:

function setMintFeeBps(uint256 newMintFeeBps) external onlyOwner {
    sMintFeeBps = newMintFeeBps;
    emit SilicaPools__MintFeeChanged(newMintFeeBps);
}

The sMintFeeBps determines the percent of fee for executing the fillOrder function.

Impact

The owner has the ability to make fees arbitrarily high, even above 100%. In general, this requires unnecessary trust from users, which might discourage use of the protocol. In the case of key compromise, this would grant an attacker the ability to steal additional user funds.

Recommendations

We recommend adding a reasonable upper limit (that is at least below 100%) on sMintFeeBps.

Remediation

This issue has been acknowledged by Alkimiya, and fixes were implemented in the following commits:

Zellic © 2024Back to top ↑