Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Staking>Informational findings>Set range limits for parameters
GeneralOverview
Findings
High (1)
Medium (1)
Informational (2)Check validity of parametersSet range limits for parameters
DiscussionDeployment failure could waste gasTesting coverage assessment
Threat ModelWhat are threat models?BonusDistributor.solRewardDistributor.solRewardTracker.solStakingAdmin.solStakingRouter.solVester.solVesterNoReserve.sol
Audit ResultsSummary
Category: Business Logic

Set range limits for parameters

Informational Severity
Informational Impact
Low Likelihood

Description

Important parameters, such as the cumulativeRewardDeductions and bonusRewards could benefit from assuring that the values they are set to are within a reasonable range. For example,

function setBonusRewards(address _account, uint256 _amount) external override nonReentrant {
    _validateHandler();
    bonusRewards[_account] = _amount;
}

does not have a check that the _amount is within a reasonable range. This could be remediated by adding a check that the _amount is less than or equal to a MAX_BONUS_REWARDS constant.

Where the MAX_BONUS_REWARDS constant could be defined as:

uint256 public constant MAX_CUMULATIVE_REWARD_DEDUCTIONS = 1000;
uint256 public constant MAX_BONUS_REWARDS = 1000;

Impact

Although this does not pose a direct security risk, as the functions can only be performed by a handler, it is a good security practice to ensure the validity of parameters before setting them. It also provides clarifies to the user that the contract they are interacting with has a limit on the values that can be set for particular parameters.

Recommendations

We recommend implementing range checks in both setCumulativeRewardDeductions and setBonusRewards.

Remediation

Zellic © 2024Back to top ↑