Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $50,000 USDC
Total HM: 31
Participants: 99
Period: 5 days
Judges: moose-code, JasoonS, denhampreen
Total Solo HM: 17
Id: 139
League: ETH
Rank: 80/99
Findings: 1
Award: $53.14
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, FudgyDRS, Funen, GalloDaSballo, GimelSec, JC, Kaiziron, Lambda, Limbooo, Metatron, MiloTruck, Noah3o6, Picodes, PumpkingWok, PwnedNoMore, Sm4rty, StErMi, TomJ, TrungOre, UnusualTurtle, Waze, _Adam, aga7hokakological, ak1, antonttc, berndartmueller, cccz, cryptphi, csanuragjain, defsec, delfin454000, dipp, elprofesor, exd0tpy, fatherOfBlocks, hake, hansfriese, hubble, joestakey, kenta, ladboy233, mics, oyc_109, pashov, pedr02b2, reassor, robee, samruna, scaraven, shung, sikorico, simon135, sseefried, tchkvsky, unforgiven, zzzitron
53.1414 USDC - $53.14
One could set the fee to anything. If it was set to 100% all incoming Tokemak rewards would be sent with _sendAffiliateFee. If it was higher, it would send also send reserves of TOKE (which would eventually fail due to a lack of reserves).
The setting of a high fee doesn't just allow rug pulling by the owner, it could also happen by mistake and cause users to lose valuable rewards.
See code of _sendAffiliateFee on lines 129-134.
Manual Inspection
Create a new constant called MAX_AFFILIATE_FEE and ensure that fee can't be set higher.
e.g.
uint256 public constant MAX_AFFILIATE_FEE = 1000; // 10% in basis points
function setAffiliateFee(uint256 _affiliateFee) external onlyOwner { require(_affiliateFee < MAX_AFFILIATE_FEE, "Fee too high"); affiliateFee = _affiliateFee; emit LogSetAffiliateFee(block.number, _affiliateFee); }
#0 - JustDravee
2022-06-27T17:26:52Z
#1 - toshiSat
2022-06-27T23:29:39Z
duplicate #255