search

code-423n4 / 2023-03-polynomial-findings

2 stars 1 forks source link

No fees set at the constructor is a loss to the protocol #196

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-polynomial/blob/aeecafc8aaceab1ebeb94117459946032ccdff1e/src/LiquidityPool.sol#L184-L195 https://github.com/code-423n4/2023-03-polynomial/blob/aeecafc8aaceab1ebeb94117459946032ccdff1e/src/LiquidityPool.sol#L448 https://github.com/code-423n4/2023-03-polynomial/blob/aeecafc8aaceab1ebeb94117459946032ccdff1e/src/LiquidityPool.sol#L480 https://github.com/code-423n4/2023-03-polynomial/blob/aeecafc8aaceab1ebeb94117459946032ccdff1e/src/LiquidityPool.sol#L512 https://github.com/code-423n4/2023-03-polynomial/blob/aeecafc8aaceab1ebeb94117459946032ccdff1e/src/LiquidityPool.sol#L544

Vulnerability details

Impact

Lose of fees to the protocol

Proof of Concept

devfee and depositfee ratios of LiquidityPool contract are not set at the constructor, and they have unique setter functions. These fees are transferred to the protocol's feeRecepient address proportionally with the amount of the trade volumes.

However, once the contracts are initialized, a very large amount can deposit or open a short/long position without paying the fees to the protocol since they're not set yet. And the transactions will be executed as Solmate allows 0 amount transactions.

    function deposit(uint256 amount, address user) external override nonReentrant whenNotPaused("POOL_DEPOSIT") {
        uint256 tokenPrice = getTokenPrice();
        uint256 fees = amount.mulWadDown(depositFee);// <-------------- @audit-issue
        uint256 amountForTokens = amount - fees;
        uint256 tokensToMint = amountForTokens.divWadDown(tokenPrice);
        liquidityToken.mint(user, tokensToMint);
        totalFunds += amountForTokens;
        SUSD.safeTransferFrom(msg.sender, feeReceipient, fees);
        SUSD.safeTransferFrom(msg.sender, address(this), amountForTokens);

        emit Deposit(user, amount, fees, tokensToMint);
    }

Link

openLong;

uint256 externalFee = feesCollected.mulWadDown(devFee);

closeLong;

uint256 externalFee = feesCollected.mulWadDown(devFee);

openShort;

uint256 externalFee = feesCollected.mulWadDown(devFee);

closeShort;

uint256 externalFee = feesCollected.mulWadDown(devFee);

Tools Used

Manual Review

Recommended Mitigation Steps

Set the protocol fees at the constructor.

c4-judge commented 1 year ago

JustDravee marked the issue as duplicate of #238

c4-judge commented 1 year ago

JustDravee marked the issue as unsatisfactory: Invalid