Closed c4-bot-8 closed 9 months ago
141345 marked the issue as sufficient quality report
141345 marked the issue as primary issue
Alec1017 (sponsor) disputed
Ran the provided PoC. This is intended behavior because there isnt much we can do about users trading very small amounts. In the example provided, 14 wei is used, which is a very small number of tokens. In this case, the accounting is correct that a fee is not taken here.
The expected amount of fees taken for the transaction in the PoC is indeed 0
Warden's POC shows loss of dust amounts with no proof of how this occurs with real values.
0xean marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/modules/PaymentEscrow.sol#L215-L283
Vulnerability details
Impact
Balance desynchronization leads to a situation where the contract does not check the actual tokens held.
Which results in the loss of protocol assets, eroding the contract's financial stability.
Proof of Concept
Any losses or wrong calculations between the
increaseDeposit
amount and_settlePayment
will not be caught, because after we settle a payment, we are missing a check 'are the expected fees/assets inside the contract.'Calculating the fees and later not synchronizing them with the actual balance gives us a pretty nice gap for losing assets. Because when we settle the payment and make the transfer of the assets, logically, we sent the last amount directly, assuming we already took the fee, which is added to the contract balance:
_settlePayment
We have a few examples of losing assets because the denominator doesn't handle all scenarios.
One is when we calculate the fees, which happens exactly between increasing the deposit amount and settling the payment.
In the passed test case below, let's assume we loop through 100 items in the order, and the escrow (ESCRW) received 14 tokens pro item because the
item.amount
was 14, for example.This discrepancy becomes serious when considering the fee mechanism. With a 7% fee set, the contract should retain a portion of the transactions as fees, but as we can see, it has 0 after settling the payment, because after 'settling the payment', we don't check if we have the expected fee amount left in the contract:
However, other posibilities of losing assets are around
_calculatePaymentProRata
and usingblock.timestamp
for the elapsed time.Tools Used
Manual review
Recommended Mitigation Steps
Add a check after
_settlePayment
to ensure the fees left match with the expected true token balance of the escrow.Assessed type
Other