Basket.handleFees() (contracts/Basket.sol#110-129) performs a multiplication on the result of a division

[code423n4]

Handle

0xalpharush

Vulnerability details

Impact

Users can burn tokens and evade fees by backrunning other transactions that result in handleFee being called.

Proof of Concept

Following another transaction that results in lastFee being updated, an attacker can call burn and withdraw their tokens without paying a fee. If timeDiff and licenseFee are both 1, for instance, feePct would be zero due to how Solidity handles fix point math. Then, fee is calculated to be zero, and the user withdraws all tokens without paying the fee.

Tools Used

Slither

Recommended Mitigation Steps

Do not perform multiplication on the result of a division because it's possible that loss of precision will result in the fee being zero. Also, consider not basing the fee calculation on block.timestamp as it's able to be gamed.

[GalloDaSballo]

The warden seems to not fully understand the system

The fee is streamed, it's paid as dilution of the basket

The finding also shows no clear POC

Am marking this as invalid