Open c4-bot-1 opened 9 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
Low QA for failing to elaborate on fee loss due to not updating users' unclaimed fees before having data.userFeeOffset[account] assigned the latest value of data.cumulativeFeePerToken.
it's true but as holders can be a large number can rise an out of gas exception and block the protocol. that's why we choose a passive way.
andresaiello (sponsor) disputed
alcueca changed the severity to QA (Quality Assurance)
alcueca marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2024-01-curves/blob/main/contracts/FeeSplitter.sol#L89
Vulnerability details
The addFees function allows managers to add fees to the contract, but does not automatically trigger a distribution of these fees to token holders.
Mitigation
To ensure that fees are distributed to token holders, you can introduce a mechanism that updates each token holder's unclaimedFees whenever new fees are added.
Impact
With the current approach, fees added to the contract could remain unclaimed, leading to a mismatch between the fees that token holders expect to receive and what is actually claimable. Token holders would need to actively claim their fees or rely on the contract manager to trigger an update, which could lead to delays or missed fee distributions.
Mitigation Explanation:
Assessed type
Context