Closed code423n4 closed 1 year ago
Looks like a gotcha mostly, am thinking QA
See Discussion on #26
L
GalloDaSballo changed the severity to QA (Quality Assurance)
m19 marked the issue as sponsor acknowledged
This is technically true, most likely new KUMASwaps will be launched without a fee so in that case this was intended behavior. We agree that it could also be passed in the initialize instead.
We agree with the QA rating for this issue.
GalloDaSballo marked the issue as grade-c
Finding is valid, but after scoring the QA Submissions the score is not sufficient
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/main/src/kuma-protocol/KUMASwap.sol#L86 https://github.com/code-423n4/2023-02-kuma/blob/main/src/kuma-protocol/KUMASwap.sol#L359-L363
Vulnerability details
Impact
In KUMASwap contract, the setting of fees is done in a separate transaction after contract initialization. The fee variables are not set during initialization.
The delay between contract initialization and setting up of fees can be exploited by anyone to sell the bonds without incurring protocol fees.
This essentially lets the attacker to escape fees that should have ideally been transferred to
KUMAFeeCollector
, causing a loss to protocol.Proof of Concept
Consider this scenario:
This essentially lets the attacker to escape fees that should have ideally been transferred to
KUMAFeeCollector
, causing a loss to protocol.Tools Used
Manual review
Recommended Mitigation Steps
Consider setting the fee variables in the initialize function itself.