[SECURITY DISCLOSURE] Critical Vulnerability found in abaci.sol

[rbxict]

Bug Report: Critical and High Severity Bugs

Contract Name: LinearDecrease and StairstepExponentialDecrease

Severity: Critical

Bug 1: Unprotected Function

• Location: file function in both contracts
• Description: The file function allows an authorized user to modify the tau variable in the LinearDecrease contract and step and cut variables in the StairstepExponentialDecrease contract. However, there is no input validation to prevent an authorized user from setting these variables to arbitrary values, which could potentially disrupt the intended functionality of the contracts.
• Recommendation: Implement input validation to restrict the range of acceptable values for tau, step, and cut.

Bug 2: Reentrancy Vulnerability

• Location: rely and deny functions in both contracts
• Description: The rely and deny functions emit events, which can lead to reentrancy vulnerabilities if the contract that receives these events is not properly secured.
• Recommendation: Consider using a reentrancy guard or implementing a secure event emission mechanism.

Bug 3: Division by Zero

• Location: price function in the LinearDecrease contract
• Description: The price function divides by tau, which could be zero if an authorized user sets it to zero using the file function. This would result in a division by zero error.
• Recommendation: Add a check to ensure that tau is non-zero before performing the division.

Bug 4: Lack of Input Validation

• Location: price function in both contracts
• Description: The price functions do not validate their inputs, which could lead to unexpected behavior or errors if invalid inputs are provided.
• Recommendation: Implement input validation to ensure that the inputs to the price functions are valid and within the expected ranges.

Additional Recommendations:

• Consider adding a pause function to allow authorized users to pause the contract in case of an emergency.
• Implement a secure way to handle errors and exceptions, such as using a try-catch block or a custom error handling mechanism.
• Review the contracts for any potential gas-related issues and optimize the code to minimize gas consumption.

Conclusion:

The LinearDecrease and StairstepExponentialDecrease contracts have several critical and high-severity bugs that need to be addressed to ensure their security and functionality. It is recommended to implement the suggested fixes and recommendations to mitigate these bugs.

---

RECOMMENDATION: Immediate patch required. Bug Bounty Payout Address (ERC20): 0xe744f6791a685b0A0cC316ED44375B69361c837F