Active Boosts

#36065 [SC-Insight] `Market.update_market_configuration` should reuse old configuration's `base_token.decimals`

Submitted on Oct 17th 2024 at 16:05:55 UTC by @jasonxiale for IOP | Swaylend

  • Report ID: #36065

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/Swaylend/swaylend-monorepo/blob/main/contracts/market/src/main.sw

  • Impacts:

Description

Brief/Intro

In Market.update_market_configuration, while updating the `MarketConfiguration`, orignal `configuration.base_token` can't be changed in main.sw#L980, `MarketConfiguration.base_token_decimals` shouldn't be changed too.

Vulnerability Details

```Rust 971 // # 11. Changing market configuration 972 #[storage(write)] 973 fn update_market_configuration(configuration: MarketConfiguration) { 974 // Only owner can update the market configuration 975 only_owner(); 976 977 let mut configuration = configuration; 978 979 // Cannot change base token and tracking index scale 980 configuration.base_token = storage.market_configuration.read().base_token; <<<--- `MarketConfiguration.base_token_decimals` should be reused here too 981 configuration.base_tracking_index_scale = storage.market_configuration.read().base_tracking_index_scale; 982 983 // Update the market configuration 984 storage.market_configuration.write(configuration); 985 986 // Emit market configuration event 987 log(MarketConfigurationEvent { 988 market_config: configuration, 989 }); 990 } ```

Impact Details

To avoid the mistake

References

Add any relevant links to documentation or code

Link to Proof of Concept

https://gist.github.com/crazy4linux/382b80b244a219346a827755a3ea594e

Proof of Concept

Proof of Concept

Previous#35724 [SC-Low] Users can withdraw collateral even when the admin pauses the contract.Next#35815 [SC-Medium] `Market.present_value_borrow` should be roundUp