Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Bond Protocol>Informational findings>The ,vesting, value for ,BondFixedTerm, type of market can be incorectly set by the market creator
GeneralOverview
Findings
Medium (2)
Low (1)
Informational (3)Lack of input validationInvalid array indexesIncorrectly set market
DiscussionRedundant safeTransfer callAssure token is activeRemove unchecked blockDouble-counted auctioneer
Threat ModelsWhat are threat models?BondAggregator.solBondBaseCallback.solBondBaseSDA.solBondBaseTeller.solBondFixedExpirySDA.solBondFixedExpiryTeller.solBondFixedTermSDA.solBondFixedTermTeller.sol
Audit ResultsResults
Category: Coding Mistakes

The vesting value for BondFixedTerm type of market can be incorectly set by the market creator

Informational Severity
Informational Impact
N/A Likelihood

Description

There are two types of markets for fixed term and fixed expiry bonds. The maximum vesting value for fixed term bonds is 50 years, but actually there are not any checks of the input params_.vesting value; therefore, the market creator can set greater value than the maximum.

Impact

A market created with a larger than expected vesting value is invalid, and it can cause unexpected behavior for this market. For example, the isInstantSwap function will define this market as an instant swap market and return true value.

Recommendations

Add validation of the input params_.vesting value.

Remediation

Bond Labs acknowledged this finding and implemented a fix in commit 0538adb3.

Zellic © 2024Back to top ↑