From 19d33d5fe806c610bb3176513339feb31c1dedb4 Mon Sep 17 00:00:00 2001
From: Michael De Luca <michael.deluca@circle-free.com>
Date: Sun, 12 Dec 2021 05:38:00 -0500
Subject: [PATCH] fix: Input validation for `setAllowedSlippage` (c4 #45)

---
 contracts/DebtLocker.sol        |  3 ++-
 contracts/test/DebtLocker.t.sol | 13 +++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/contracts/DebtLocker.sol b/contracts/DebtLocker.sol
index ce1c4c1..f5195e8 100644
--- a/contracts/DebtLocker.sol
+++ b/contracts/DebtLocker.sol
@@ -82,7 +82,8 @@ contract DebtLocker is IDebtLocker, DebtLockerStorage, MapleProxied {
     }
 
     function setAllowedSlippage(uint256 allowedSlippage_) external override whenProtocolNotPaused {
-        require(msg.sender == _getPoolDelegate(), "DL:SAS:NOT_PD");
+        require(msg.sender == _getPoolDelegate(),   "DL:SAS:NOT_PD");
+        require(allowedSlippage_ <= uint256(10000), "DL:SAS:INVALID_SLIPPAGE");
 
         emit AllowedSlippageSet(_allowedSlippage = allowedSlippage_);
     }
diff --git a/contracts/test/DebtLocker.t.sol b/contracts/test/DebtLocker.t.sol
index d235741..5208394 100644
--- a/contracts/test/DebtLocker.t.sol
+++ b/contracts/test/DebtLocker.t.sol
@@ -726,6 +726,19 @@ contract DebtLockerTests is TestUtils {
         pool.triggerDefault(address(debtLocker));
     }
 
+    /******************************/
+    /*** Input Validation Tests ***/
+    /******************************/
+
+    function test_setAllowedSlippage_invalidSlippage() external {
+        MapleLoan loan = _createLoan(1_000_000, 30_000);
+
+        DebtLocker debtLocker = DebtLocker(pool.createDebtLocker(address(dlFactory), address(loan)));
+
+        assertTrue(!poolDelegate.try_debtLocker_setAllowedSlippage(address(debtLocker), 10001));
+        assertTrue( poolDelegate.try_debtLocker_setAllowedSlippage(address(debtLocker), 10000));
+    }
+
     /***********************/
     /*** Refinance Tests ***/
     /***********************/