raymondfam
commented
3 months ago Illogical/insufficient proof.
Closed c4-bot-6 closed 3 months ago
raymondfam
commented
3 months ago Illogical/insufficient proof.
c4-pre-sort
commented
3 months ago raymondfam marked the issue as insufficient quality report
c4-pre-sort
commented
3 months ago raymondfam marked the issue as primary issue
c4-judge
commented
3 months ago hansfriese marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/PrimaryLiquidationFacet.sol#L223
Vulnerability details
Impact
The
_liquidationFeeHandlerfunction calculation and distribution of thetappFeeandcallerFeeis flawed. Specifically, there seems to be a potential issue with the logic in theelseblock, which is executed whenTAPP.ethEscrowedis less thancallerFee.In the
elseblock, the code attempts to give the caller a portion of thetappFeeinstead of thegasFee. However, the calculation appears to be incorrect.Proof of Concept
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/PrimaryLiquidationFacet.sol#L223
This line is adding the
callerFee, subtracting thegasFee, and then adding thetappFeetoVaultUser.ethEscrowed. The issue is that thetappFeeshould not be added to the caller's escrow balance. ThetappFeeshould be deducted from theTAPPescrow balance, as it is the fee meant for the TAPP contract.Additionally, the line
m.totalFee -= m.gasFee;in theelseblock seems unnecessary, as thegasFeeis already accounted for in thecallerFeecalculation.Tools Used
Manual
Recommended Mitigation Steps
In this version, the caller receives the full
callerFeewhenTAPP.ethEscrowedis insufficient. TheTAPP.ethEscrowedis set to 0, effectively transferring the remaining balance to the caller.It's also worth double-checking the calculations and logic for the distribution of fees to ensure that the intended behavior is correctly implemented.
Assessed type
Math