Closed code423n4 closed 2 years ago
this is intended behavior
Invalid finding as the math is as intended
NOTE: The finding is invalid because the math is as intended (which can always be contested for security concerns), however the warden didn't show any reason why the math is wrong beside "it looking unusual"
Handle
0xsanson
Vulnerability details
Impact
The streaming fee in Basket.sol is calculated as:
fee = startSupply * feePct / (BASE - feePct)
This is an unusual way of calculating a fee, since it's value depends on the frequency of calling
handleFees
. Indeed the cumulative fee of calling at times A < B < C is smaller than calling only at A < C. The usual, and "linear", way would be:fee = startSupply * feePct
.Proof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/main/contracts/contracts/Basket.sol#L118
Tools Used
editor
Recommended Mitigation Steps
Maybe this is the intended behavior. If not, consider changing as suggested.