search
Active Boosts

#36065 [SC-Insight] `Market.update_market_configuration` should reuse old configuration's `base_toke

Submitted on Oct 17th 2024 at 16:05:55 UTC by @jasonxiale for IOP | Swaylendarrow-up-right

  • Report ID: #36065

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/Swaylend/swaylend-monorepo/blob/main/contracts/market/src/main.sw

  • Impacts:

hashtag
Description

hashtag
Brief/Intro

In Market.update_market_configurationarrow-up-right, while updating the `MarketConfiguration`, orignal `configuration.base_token` can't be changed in main.sw#L980arrow-up-right, `MarketConfiguration.base_token_decimals` shouldn't be changed too.

hashtag
Vulnerability Details

```Rust 971 // # 11. Changing market configuration 972 #[storage(write)] 973 fn update_market_configuration(configuration: MarketConfiguration) { 974 // Only owner can update the market configuration 975 only_owner(); 976 977 let mut configuration = configuration; 978 979 // Cannot change base token and tracking index scale 980 configuration.base_token = storage.market_configuration.read().base_token; <<<--- `MarketConfiguration.base_token_decimals` should be reused here too 981 configuration.base_tracking_index_scale = storage.market_configuration.read().base_tracking_index_scale; 982 983 // Update the market configuration 984 storage.market_configuration.write(configuration); 985 986 // Emit market configuration event 987 log(MarketConfigurationEvent { 988 market_config: configuration, 989 }); 990 } ```

hashtag
Impact Details

To avoid the mistake

hashtag
References

Add any relevant links to documentation or code

hashtag
Link to Proof of Concept

https://gist.github.com/crazy4linux/382b80b244a219346a827755a3ea594e

hashtag
Proof of Concept

hashtag
Proof of Concept

Previous#35724 [SC-Low] Users can withdraw collateral even when the admin pauses the contract.Next#35815 [SC-Medium] `Market.present_value_borrow` should be roundUp

Last updated

Was this helpful?