c4-judge
commented
1 year ago Picodes marked the issue as duplicate of #273
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago Picodes marked the issue as duplicate of #273
c4-judge
commented
1 year ago Picodes changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago Picodes marked the issue as grade-c
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/feat/2022-12-prepo/apps/smart-contracts/core/contracts/Collateral.sol#L64-L78
Vulnerability details
Impact
Users may receive error messages
fee = 0whenever making a withdraw fromCollateralcontract if the withdraw amout is not enough. The error message is irrelevant to users. It's related to the protocol processing the withdraw. If a user receives multiple such messages, it may worry the user who has no idea what's happening. Users may suspect if their assets are still under their control.Proof of Concept
Provided:
FEE_DENOMINATOR = 1000000; withdrawFee = 100; baseTokenDenominator = 1e18, a user callswithdraw(_amount):_amount = 100, fail withfee = 0error_amount = 1000, fail withfee = 0error_amount = 5000, fail withfee = 0error_amount = 10000, succeed.Tools Used
N/A
Recommended Mitigation Steps
Improve the error message that should include actual reasons of transaction fail, and the required minmum amount of withdraw. Or, implement some other fee strategies.