Omniscia 0xPhase Audit
BalancerInitializer Manual Review Findings
BalancerInitializer Manual Review Findings
BIR-01M: Inexistent Sanitization of Performance Fee
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | BalancerInitializer.sol:L23-L26 |
Description:
The BalancerInitializer::initializeBalancerV1 function will not sanitize the input initialPerformanceFee_, permitting the contract to be misconfigured and potentially fail to calculate fees properly.
Impact:
The fee applied by BalancerBase::_totalBalance will be unfair and potentially incalculable if the performance fee within BalancerInitializer is misconfigured.
Example:
23function initializeBalancerV1(24 IDB db_,25 uint256 initialPerformanceFee_26) external initialize("v1") {27 require(28 address(db_) != address(0),29 "BalancerInitializer: DB cannot be 0 address"30 );31
32 _initializeElement(db_);33 _initializeClock();34
35 BalancerStorage storage s = _s();36
37 s.treasury = ITreasury(db_.getAddress("TREASURY"));38 s.performanceFee = initialPerformanceFee_;39
40 s.feeAccount = ICreditAccount(db_.getAddress("CREDIT_ACCOUNT")).getAccount(41 db_.getAddress("MANAGER")42 );43
44 _initializeAccessControlWithKey(keccak256("MANAGER"));45
46 _grantRoleKey(DIAMOND_CUT_ROLE, keccak256("MANAGER"));47 _grantRoleKey(BalancerConstants.MANAGER_ROLE, keccak256("MANAGER"));48 _grantRoleKey(BalancerConstants.DEV_ROLE, keccak256("DEV"));49 _grantRoleKey(BalancerConstants.VAULT_ROLE, keccak256("VAULT"));50
51 emit PerformanceFeeSet(initialPerformanceFee_);52}Recommendation:
We advise the code to introduce a require check ensuring that initialPerformanceFee_ is less than 1 ether at minimum based on the implementation of BalancerBase::_totalBalance. Additionally, we strongly advise the limit to be set to a lower value than 100% to ensure that the performance fee is up to a fair value.
Alleviation:
A fee limitation is now imposed by BalancerInitializer::initializeBalancerV1 which permits the fee to be up-to 10% of the overall amount, alleviating this exhibit in full.