Closed code423n4 closed 2 years ago
this is intentional behavior, we dont always want to charge the largest fee, we want to charge the fee most relevant to the safe
While the observation is correct, there seems to be no vulnerability here. Because the logic for assigning fees is based on pertinence, and the warden didn't prove that the rule is broken, am going to mark the finding invalid
Lines of code
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboClerk.sol#L106-L122 https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/TurboSafe.sol#L266
Vulnerability details
Impact
May cause lower fees to be calculated
Proof of Concept
customFeePercentageForSafe
= 100customFeePercentageForCollateral
= 200slurp
gets call which callsgetFeePercentageForSafe
as part of its interest calculationgetFeePercentageForSafe
will return 100 rather than 200 causing less fees to be calculated, accounted, and transferred to themaster
Tools Used
Manual analysis
Recommended Mitigation Steps
evaluate which is larger in
getFeePercentageForSafe
and return the larger.