Description

The setFixedPriceMarkup() function is used to set the fixedPriceMarkup storage variable. This variable is a multiplier that is used to calculate the marked-up requiredPrefund amount in _validatePaymasterUserOp() that a user must prefund the Paymaster with prior to submitting any user operations.

In this case, the setFixedPriceMarkup() enforces a maximum value of 2e6 (i.e., a 2x multiplier) but does not enforce a minimum value.

Impact

If the owner accidentally sets the fixedPriceMarkup to a value less than 1e6, _validatePaymasterUserOp() will fail anytime a priceMarkup between [0, 1e6) is used. This is due to the following code within _validatePaymasterUserOp():

require(priceMarkup <= 2e6, "Verifying PM:high markup %");

uint32 dynamicMarkup = MathLib.maxuint32(priceMarkup, fixedPriceMarkup);
require(dynamicMarkup >= 1e6, "Verifying PM:low markup %");

Recommendations

Enforce a minimum value of 1e6 for fixedPriceMarkup in setFixedPriceMarkup().

Remediation

Biconomy Labs implemented a fix for this issue in commit 6074b93↗.