search

code-423n4 / 2022-12-Stealth-Project-findings

0 stars 0 forks source link

protocolFeeRatio can be up to 100% #46

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-Stealth-Project/blob/fc8589d7d8c1d8488fd97ccc46e1ff11c8426ac2/maverick-v1/contracts/models/Pool.sol#L332-L337

Vulnerability details

Impact

In the setProtocolFeeRatio function, the maximum value of protocolFeeRatio can be set to 1e3

    function setProtocolFeeRatio(uint16 _protocolFeeRatio) internal {
        require(_protocolFeeRatio <= ONE_3_DECIMAL_SCALE);
        state.protocolFeeRatio = _protocolFeeRatio;

        emit SetProtocolFeeRatio(_protocolFeeRatio);
    }

When protocolFeeRatio is 1e3, all fees generated by swap will be used as ProtocolFee, that is, liquidity providers will not receive any fees

    function _amountToBin(uint256 deltaInErc, uint256 feeBasis) internal view returns (uint256 amount) {
        amount = state.protocolFeeRatio != 0 ? Math.clip(deltaInErc, feeBasis.mul(uint256(state.protocolFeeRatio) * PROTOCOL_FEE_SCALE) + 1) : deltaInErc;
    }

Also, setProtocolFeeRatio may front run the user's swap, thereby collecting all fees generated by the swap.

Proof of Concept

https://github.com/code-423n4/2022-12-Stealth-Project/blob/fc8589d7d8c1d8488fd97ccc46e1ff11c8426ac2/maverick-v1/contracts/models/Pool.sol#L332-L337 https://github.com/code-423n4/2022-12-Stealth-Project/blob/fc8589d7d8c1d8488fd97ccc46e1ff11c8426ac2/maverick-v1/contracts/models/Pool.sol#L549-L551

Tools Used

None

Recommended Mitigation Steps

Consider setting an upper bound for protocolFeeRatio, such as 3e2 for 30%

kirk-baird commented 1 year ago

This is the same as #31 see that issue for more details and / or discussion.

c4-judge commented 1 year ago

kirk-baird changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

kirk-baird marked the issue as grade-b