Omniscia 0xPhase Audit

VaultSettersFacet Manual Review Findings

VSF-01M: Inexistent Sanitization of Variables

Type	Severity	Location
Input Sanitization		VaultSettersFacet.sol:L42, L88, L99

Description:

The referenced variables are expected to be up to 1e18 in value, however, no such limitation is imposed by the codebase.

Impact:

The VaultSettersFacet contract permits the VaultBase to be misconfigured as a result of inexistent input sanitization methods.

Example:

vault/diamond/VaultSettersFacet.sol

36/// @inheritdoc IVaultSetters
37function setYieldPercent(
38  uint256 yieldPercent
39) external override updateMessageUser freezeCheck(true) updateDebt {
40  uint256 user = _s.creditAccount.getAccount(msg.sender);
41
42  _s.userInfo[user].yieldPercent = yieldPercent;
43
44  emit YieldPercentSet(user, yieldPercent);
45
46  _rebalanceYield(user);
47}

Recommendation:

We advise them to be adequately sanitized, preventing arithmetic errors in VaultBase to manifest as a result of a misconfiguration.

Alleviation (3dd3d7bf0c):

The input amount of only the first of the three referenced instances is sanitized, rendering this exhibit partially alleviated.

Alleviation (19668501f8):

The fees are properly sanitized in all referenced instances in the latest iteration of the codebase, rendering this exhibit alleviated.

Omniscia 0xPhase Audit

VaultSettersFacet Manual Review Findings

VaultSettersFacet Manual Review Findings

VSF-01M: Inexistent Sanitization of Variables

Description:

Impact:

Example:

Recommendation:

Alleviation (3dd3d7bf0c):

Alleviation (19668501f8):

VaultLiquidationFacet.sol (VLF-M)

AccessControl.sol (ACL-C)

On this page