x/leverage: Lack of token validation on setRegisteredToken ( RV #18 )

[toteki]

Runtime Verification Audit Item 18

Issue: line 52 in keeper/token.go, in function SetRegisteredToken(ctx, token), no validation was performed on the token. Furthermore, there is no validation in InitGenesis() and handleUpdateRegistryProposalHandler() where setRegisteredToken() are called.

Effect: some of the token parameters may not meet expectation, for example, BaseBorrowRate is non-negative and KinkUtilizationRate is positive and less than 1.0.

Recommendation: call Validate() function in types/token.go before writing the token into the registry.

[toteki]

This should be approached cautiously:

• a panic(err) during initGenesis mirrors other genesis errors would be acceptable
• we haven't specifically tested how the sdk handles non-nil errors from govTypes.Handler - if the proposal simply fails to take effect that would be fine, but a chain halt would be overkill and we should instead prefer to skip the offending token and log an error message.