Tall Berry Cat
Medium
[Medium] Incorrect Input Validation in setMaxPercent Function Allows Owner to Set Invalid Percentages
The setMaxPercent function in the NumaVault contract incorrectly validates the input parameter, allowing the owner to set invalid or unintended percentages. This oversight can lead to financial miscalculations and destabilization of the vault by enabling excessively high or inappropriate percentage limits.
In NumaVault.sol:287-291, the setMaxPercent function contains an incorrect validation check. Instead of verifying that the input _maxPercent is less than or equal to BASE_1000, it mistakenly checks the current state variable max_percent. This flaw allows the owner to set max_percent to any value without proper validation, potentially exceeding intended limits.
- The caller is the contract owner.
- The setMaxPercent function is invoked with an arbitrary _maxPercent value.
None. This issue can be exploited solely by the contract owner.
- Identify Vulnerable Function:
The attacker (contract owner) observes that the setMaxPercent function incorrectly validates input parameters by referencing the current state variable instead of the input value. Set Invalid Percentage:
-
The attacker calls setMaxPercent with an excessively high value (e.g., _maxPercent = 2000), bypassing the intended BASE_1000 (which likely represents 100%) limit. Exploit Financial Calculations:
-
With max_percent set to an invalid value, functions that rely on max_percent (such as buy and buyNoMax) can now accept inputs that exceed the protocol's designed limits. This can lead to overflows, underflows, or unintended large transactions, causing financial imbalances and potential loss of funds.
The incorrect input validation in the setMaxPercent function can result in:
- Financial Miscalculations: Functions using max_percent may process transactions beyond safe or intended limits, leading to incorrect fund allocations.
- Protocol Instability: Excessively high max_percent values can disrupt the vault's balance, affecting liquidity and user transactions.
- Loss of User Trust: Financial discrepancies and operational issues can erode user confidence in the protocol's reliability and security.
// SPDX-License-Identifier: MIT
pragma solidity 0.8.20;
interface INumaVault {
function setMaxPercent(uint16 _maxPercent) external;
function buy(uint _inputAmount, uint _minNumaAmount, address _receiver) external returns (uint _numaOut);
}
contract MaliciousOwner {
INumaVault public numaVault;
constructor(address _numaVaultAddress) {
numaVault = INumaVault(_numaVaultAddress);
}
// Function to exploit the incorrect input validation
function exploit() external {
// Set max_percent to an invalid high value (e.g., 2000 which should represent 200%)
numaVault.setMaxPercent(2000);
}
// Function to perform a buy operation that exceeds intended limits
function performLargeBuy(uint _inputAmount, uint _minNumaAmount, address _receiver) external returns (uint _numaOut) {
_numaOut = numaVault.buy(_inputAmount, _minNumaAmount, _receiver);
}
}Correct Input Validation:
Update the setMaxPercent function to validate the input parameter _maxPercent instead of the current state variable max_percent.
Implement Additional Safeguards:
Introduce checks to ensure that max_percent cannot be set below a minimum threshold or beyond a maximum limit that aligns with the protocol's financial design.