Open code423n4 opened 1 year ago
Because the finding is limited to an event it is by definition Informational / Non-Critical
I will award it a Refactoring because it's a gotcha
R
GalloDaSballo changed the severity to QA (Quality Assurance)
m19 marked the issue as sponsor confirmed
We confirm this issue and agree that it's QA
GalloDaSballo marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/KUMAFeeCollector.sol#L205 https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/KUMAFeeCollector.sol#L219
Vulnerability details
Impact
KUMAFeeCollector may emit an event
FeeReleased(availableIncome)
withavailableIncome > 0
when it doesn't actually release any fee.Proof of Concept
According to the
_release()
function:If the length of
_payees
is 0, it will transfer 0 token, but the eventFeeReleased
will always be emitted.The KUMAFeeCollector._release() is called by either KUMAFeeCollector.release() or KUMAFeeCollector._releaseIfAvailableIncome().
The wrong event will never be emitted when calling
release()
because it will check the length of_payees
before calling_release()
:But, KUMAFeeCollector._releaseIfAvailableIncome() doesn't check the
_payees
before calling_release()
. So, the wrongFeeReleased
event may be emitted through_releaseIfAvailableIncome()
.Tools Used
VS Code
Recommended Mitigation Steps
We should check
_payees.length()
(is 0 or not) either in KUMAFeeCollector._releaseIfAvailableIncome() or in KUMAFeeCollector._release().