From bdc437fa35c5851e1ab66d0328d6c0a1e8132a27 Mon Sep 17 00:00:00 2001 From: Michael De Luca <35537333+deluca-mike@users.noreply.github.com> Date: Sun, 12 Dec 2021 18:48:43 -0500 Subject: [PATCH] fix: Input validation for `setAllowedSlippage` (C4 #45) (#47) * fix: Input validation for `setAllowedSlippage` (c4 #45) * fix: use underscore syntax for 10k Co-authored-by: Lucas Manuel --- contracts/DebtLocker.sol | 3 ++- contracts/test/DebtLocker.t.sol | 13 +++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/contracts/DebtLocker.sol b/contracts/DebtLocker.sol index ea864d6..cbca0fd 100644 --- a/contracts/DebtLocker.sol +++ b/contracts/DebtLocker.sol @@ -82,7 +82,8 @@ contract DebtLocker is IDebtLocker, DebtLockerStorage, MapleProxied { } function setAllowedSlippage(uint256 allowedSlippage_) external override whenProtocolNotPaused { - require(msg.sender == _getPoolDelegate(), "DL:SAS:NOT_PD"); + require(msg.sender == _getPoolDelegate(), "DL:SAS:NOT_PD"); + require(allowedSlippage_ <= uint256(10_000), "DL:SAS:INVALID_SLIPPAGE"); emit AllowedSlippageSet(_allowedSlippage = allowedSlippage_); } diff --git a/contracts/test/DebtLocker.t.sol b/contracts/test/DebtLocker.t.sol index d235741..9948487 100644 --- a/contracts/test/DebtLocker.t.sol +++ b/contracts/test/DebtLocker.t.sol @@ -726,6 +726,19 @@ contract DebtLockerTests is TestUtils { pool.triggerDefault(address(debtLocker)); } + /******************************/ + /*** Input Validation Tests ***/ + /******************************/ + + function test_setAllowedSlippage_invalidSlippage() external { + MapleLoan loan = _createLoan(1_000_000, 30_000); + + DebtLocker debtLocker = DebtLocker(pool.createDebtLocker(address(dlFactory), address(loan))); + + assertTrue(!poolDelegate.try_debtLocker_setAllowedSlippage(address(debtLocker), 10_001)); + assertTrue( poolDelegate.try_debtLocker_setAllowedSlippage(address(debtLocker), 10_000)); + } + /***********************/ /*** Refinance Tests ***/ /***********************/