Platform: Code4rena
Start Date: 27/05/2021
Pot Size: $100,000 USDC
Total HM: 12
Participants: 7
Period: 7 days
Judge: LSDan
Total Solo HM: 10
Id: 12
League: ETH
Rank: 6/7
Findings: 2
Award: $6,371.78
🌟 Selected for report: 1
🚀 Solo Findings: 0
644.3391 USDC - $644.34
pauliax
function setDebtLimits should explicitly enforce that parameters max >= min. It is not a vulnerability but I think it is a good practice to enforce such validation in code.
require(max >= min, "max < min");
#0 - alcueca
2021-06-01T12:58:05Z
Good suggestion, will do. Thanks!
#1 - dmvt
2021-06-14T20:52:37Z
duplicate of #41
#2 - alcueca
2021-07-09T10:30:54Z
Actually, there is a bit of a misunderstanding here because of the use of min and max as variable names.
min is what MakerDAO calls dust. The minimum amount of debt for an underlying/collateral pair that is allowed in a vault.
max is what MakerDAO calls ceiling. The maximum amount of debt for an underlying/collateral that is allowed for the protocol.
While it might be logical that max >= min, we will use the ceiling (max) as a way of enabling/disabling pairs, so it might be set up to zero in pairs that are being set up. We might want to set up the dust parameter before then.
Given that there is no risk to user funds on not checking that max >= min, we will not fix this one.
🌟 Selected for report: pauliax
0 USDC - $0.00
pauliax
In the contract ChainlinkMultiOracle both functions 'peek' and 'get' are identical. They are declared as views while based on IOracle interface 'get' should be transactional.
#0 - alcueca
2021-06-01T12:52:42Z
We will fix it, but I don't think that there is any risk derived from this bug.