Open c4-bot-8 opened 8 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #230
alcueca marked the issue as selected for report
alcueca changed the severity to 2 (Med Risk)
alcueca marked the issue as satisfactory
andresaiello (sponsor) acknowledged
Lines of code
https://github.com/code-423n4/2024-01-curves/blob/main/contracts/Curves.sol#L231
Vulnerability details
Impact
Protocol fee and referral fee retrieved during the sale of a token stay permanently stuck in the Curves contract.
Proof of Concept
Curves._transferFee
subtracts all the fees from the selling price and transfers the remaining to the seller: https://github.com/code-423n4/2024-01-curves/blob/main/contracts/Curves.sol#L231protocolFee
taken away is not transferred to theprotocolFeeDestination
in the remainder of the_transferFee
function: https://github.com/code-423n4/2024-01-curves/blob/main/contracts/Curves.sol#L231-L250. It stays back in the contract with no other of way of retrieval.referralFee
is taken away without checking if a referral address actually exists. In the event that there is no referral defined, the third transfer is never executed: https://github.com/code-423n4/2024-01-curves/blob/main/contracts/Curves.sol#L240. This leaves the referral fee in the contract, again no retrieval mechanism.Tools Used
Manual review
Recommended Mitigation Steps
buyValue
(https://github.com/code-423n4/2024-01-curves/blob/main/contracts/Curves.sol#L230C59-L230C59) variable already has the logic for jointly handling the protocol and referral fee.It can be given a more generic name, and be transferred to the
protocolDestination
for both buying and selling transactions.Assessed type
ETH-Transfer