Omniscia 0xPhase Audit
BalancerSettersFacet Manual Review Findings
BalancerSettersFacet Manual Review Findings
BSF-01M: Inexistent Sanitization of Performance Fee
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | BalancerSettersFacet.sol:L62-L70 |
Description:
The BalancerSettersFacet::setPerformanceFee function will not sanitize the input newPerformanceFee, permitting the contract to be misconfigured and potentially fail to calculate fees properly.
Impact:
The fee applied by BalancerBase::_totalBalance will be unfair and potentially incalculable if the performance fee within BalancerSettersFacet is misconfigured.
Example:
62/// @inheritdoc IBalancerSetters63 /// @custom:protected onlyRole(BalancerConstants.MANAGER_ROLE)64 function setPerformanceFee(65 uint256 newPerformanceFee66 ) external override onlyRole(BalancerConstants.MANAGER_ROLE) {67 _s().performanceFee = newPerformanceFee;68
69 emit PerformanceFeeSet(newPerformanceFee);70 }71}Recommendation:
We advise the code to introduce a require check ensuring that newPerformanceFee is less than 1 ether at minimum based on the implementation of BalancerBase::_totalBalance. Additionally, we strongly advise the limit to be set to a lower value than 100% to ensure that the performance fee is up to a fair value.
Alleviation:
A fee limitation is now imposed by BalancerSettersFacet::setPerformanceFee which permits the fee to be up-to 10% of the overall amount, alleviating this exhibit in full.