Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Awaken Swap>Medium findings>No guard on admin-set fee rate
GeneralOverview
Findings
High (3)
Medium (2)Calling `ChangeOwner` may lock ownership upon user errorNo guard on admin-set fee rate
Low (1)
Informational (2)
DiscussionVirtual addresses are not actually usedNo tests for ACS2 read/write path correctnessAdditional token-sanity checks
Threat ModelModule: AwakenSwapContract.csModule: AwakenSwapContract_Admin.csModule: AwakenSwapContract_Helper.csModule: AwakenSwapContract_LP.csModule: AwakenSwapContract_Swap.csModule: AwakenSwapContract_Views.csModule: TokenContract.csModule: TokenContract_ACS2.csModule: TokenContract_Actions.cs
Audit ResultsSummary
Category: Business Logic

No guard on admin-set fee rate

Medium Severity
Medium Impact
Low Likelihood

Description

In the swap contract, the admin can call SetFeeRate to set a new fee rate:

public override Empty SetFeeRate(Int64Value input)
{
    AssertSenderIsAdmin();
    State.FeeRate.Value = input.Value;
    return new Empty();
}

However, there is no check on the input.

Impact

If the new fee rate is above FeeRateMax, then invariants are broken, since the charged fee would be larger than 100%. Similarly, if the fee rate is below zero, then other unintended and unchecked behavior may occur.

Recommendations

This admin function should have a guard on the range of the input.

Remediation

This issue has been acknowledged by Awaken Finance, and a fix was implemented in commit 1eeef4bf.

Zellic © 2024Back to top ↑