QA Report #67
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Title : Missing input validation for values which should not be greater than 1
Impact
Various contracts allow update to some config or parameter values which should be never greater than 1.
The input validation for such a check is missing during these update functions.
In the event such values of greater than 1 are accepted, then it may result in unpredictable behavior or panic.
Proof of Concept
Listed below some of these which should be checked.
#1
Config : max_borrow_factor
Contract : money-market-contracts/contracts/market/src/contract.rs
Function : pub fn update_config(...)
Line 321 :
#2
Config : base_rate
Contract : money-market-contracts/contracts/interest_model/src/contract.rs
Function : pub fn update_config(...)
Line 74 :
#3
Config : interest_multiplier
Contract : money-market-contracts/contracts/interest_model/src/contract.rs
Function : pub fn update_config(...)
Line 78 :
Recommended Mitigation Steps
Its recommended to add a check that the values for these configs are not more than 1.
The text was updated successfully, but these errors were encountered: