search

code-423n4 / 2023-12-particle-findings

2 stars 1 forks source link

Using `addPremium()` to evade part of the fees from `marginFrom` #32

Closed c4-bot-1 closed 11 months ago

c4-bot-1 commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/protocol/ParticlePositionManager.sol#L193 https://github.com/code-423n4/2023-12-particle/blob/a3af40839b24aa13f5764d4f84933dbfa8bc8134/contracts/protocol/ParticlePositionManager.sol#L501

Vulnerability details

Vulnerability details

When openPosition, we will charge a certain fee, the calculation formula is as follows: ((marginFrom + amountFromBorrowed) * FEE_FACTOR) / Base.BASIS_POINT

It will include marginFrom, which is mainly used to ensure enough collateralTo after swap(), and an extra part will be deposited as tokenFromPremium

But when addPremium(), no fee is charged.

In this way, we can just ensure enough collateralTo after swap in openPosition(), deliberately let tokenFromPremiumPortion == 0, and then use addPremium() to increase tokenFromPremiumPortion, thereby evading the fee generated by this part of marginFrom

Impact

Using addPremium() to evade the fees that should be paid from marginFrom during openPosition

Recommended Mitigation

Charge fees for addPremium()

    function addPremium(uint96 lienId, uint128 premium0, uint128 premium1) external override nonReentrant {
...

+       uint256 fee0Amount;
+       uint256 fee1Amount;
+       if (lien.zeroForOne) {
+           fee0Amount = (premium0 * FEE_FACTOR) / Base.BASIS_POINT;
+           uint256 treasuryAmount =fee0Amount * _treasuryRate / Base.BASIS_POINT;
+           _treasury[token0] += treasuryAmount;                
+           lps.addTokensOwed(lien.tokenId, uint128(fee0Amount - treasuryAmount), 0);
+       } else {
+          fee1Amount = (premium1 * FEE_FACTOR) / Base.BASIS_POINT;
+           uint256 treasuryAmount =fee1Amount * _treasuryRate / Base.BASIS_POINT;
+           _treasury[token1] += treasuryAmount;                
+           lps.addTokensOwed(lien.tokenId, 0 , uint128(fee1Amount - treasuryAmount));
+       }

        liens.updatePremium(
            lienKey,
-           uint24(((token0Premium + premium0) * Base.BASIS_POINT) / collateral0),
+           uint24(((token0Premium + premium0 - fee0Amount) * Base.BASIS_POINT) / collateral0),
-           uint24(((token1Premium + premium1) * Base.BASIS_POINT) / collateral1)
+           uint24(((token1Premium + premium1 - fee1Amount) * Base.BASIS_POINT) / collateral1)
        );

Assessed type

Other

c4-judge commented 11 months ago

0xleastwood marked the issue as primary issue

romeroadrian commented 11 months ago

Duplicate #54

c4-judge commented 11 months ago

0xleastwood marked the issue as duplicate of #54

c4-judge commented 11 months ago

0xleastwood marked the issue as satisfactory