Omniscia vfat Audit
NftSettingsRegistry Manual Review Findings
NftSettingsRegistry Manual Review Findings
NSR-01M: Improper Validation of Slippage Values
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | NftSettingsRegistry.sol: • I-1: L289 • I-2: L358 |
Description:
The referenced slippage values defined in basis points are insufficiently validated as they are permitted to be 0.
Impact:
A slippage value of 0 is effectively invalid as the likelihood of the associated operation reverting is significantly high.
Example:
271if (!settings.autoExit) {272 if (273 settings.exitConfig.triggerTickLow != 0274 || settings.exitConfig.triggerTickHigh != 0275 || settings.exitConfig.exitTokenOutLow != address(0)276 || settings.exitConfig.exitTokenOutHigh != address(0)277 || settings.exitConfig.slippageBP != 0278 || settings.exitConfig.priceImpactBP != 0279 ) {280 revert AutoExitNotSet();281 }282} else {283 if (284 settings.exitConfig.triggerTickLow == 0285 && settings.exitConfig.triggerTickHigh == 0286 ) {287 revert ExitTriggersNotSet();288 }289 if (settings.exitConfig.slippageBP > MAX_SLIPPAGE_BP) {290 revert InvalidSlippageBP();291 }292 if (293 settings.exitConfig.priceImpactBP > MAX_PRICE_IMPACT_BP294 || settings.exitConfig.priceImpactBP == 0295 ) {296 revert InvalidPriceImpactBP();297 }298}Recommendation:
Similarly to other configurational variables, we advise them to be sanitized as being non-zero so as to ensure valid slippage configuration values.
Alleviation (6ab7af3bb495b817ffec469255ea679b1813eecb):
The vfat team evaluated this exhibit and stated that a zero-value slippage is desirable.
While the code will behave as expected when the zero-value slippage is imposed, the dynamic conditions of the market will significantly increase the likelihood of such a transaction reverting and would usually indicate malformed input.
In any case, as the vfat team wishes to retain this behaviour as acceptable within their codebase we consider this exhibit to be acknowledged.