Keen Lead Squid - FadoBagi - Lack of Validation on earlyExitFeeBps

[sherlock-admin3]

Keen Lead Squid

High

FadoBagi - Lack of Validation on earlyExitFeeBps

FadoBagi

High

Lack of Validation on earlyExitFeeBps

Summary

The VaultFactory contract allows the owner to set the earlyExitFeeBps without any validation. This enables the owner to assign arbitrary and malicious fee values, which can result in users being overcharged or losing their entire withdrawal amounts.

Vulnerability Detail

In the VaultFactory contract, the setEarlyExitFeeBps function permits the owner to set the earlyExitFeeBps without any constraints:

function setEarlyExitFeeBps(uint256 _earlyExitFeeBps) external onlyOwner {
    earlyExitFeeBps = _earlyExitFeeBps;
    // ...
}

The function does not validate the value of _earlyExitFeeBps before setting it. The owner can set it to any value, including excessively high or low values.

High earlyExitFeeBps can result in users being overcharged during withdrawals. Users might lose a significant portion or all of their withdrawal amounts.

Impact

The lack of validation on earlyExitFeeBps allows the contract owner to set arbitrary fee values, leading to users being overcharged or losing their entire withdrawal amounts.

Code Snippet

• Function: setEarlyExitFeeBps
  https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/VaultFactory.sol#L101-L104

Tool used

Manual Review

Recommendation

Implement validation in the setEarlyExitFeeBps function to restrict earlyExitFeeBps to a reasonable range, preventing the owner from setting excessively high or low fee values.