Closed c4-bot-9 closed 2 months ago
Report of sufficient quality
3docSec marked the issue as satisfactory
3docSec marked the issue as selected for report
We only charge fee with users who use our UI to execute txn
Invalid: intended behavior
3docSec marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/src/Common.sol#L104
Vulnerability details
Impact
Loss of future platform fees, business logic is broken
Proof of Concept
The platform fees can be bypassed as the fee collection structure is actually based on users´ click actions on the platform. It´s not enforced!
Fee collection is based on actions that the users can execute themselves by using the platforms (Uni & Algebra) that they have liquidity. They only need to pay the gas fees in that situation - nothing else. Applying fees for the flows that can be done in cheaper actions will cause the users to flee to the cheaper ones.
As per the contracts, the protocol´s max fee is 10% and these fees can be totally bypassed by setting 0 fees in
V3Utils
:Even if it´s set to 1% later on (or even less), an adversary can anytime copy the Krystal Contracts (with their own settings), build a browser extension tool to interact with the copycat contracts and make the fees less - even 0 fee - and people can again use Krystal´s website to see their positions. In contrast, they interact with the less fee-structured contracts.
In this situation, the platform will only serve as a complimentary frontend, hence, the business logic will be broken.
Tools Used
Manual Review
Recommended Mitigation Steps
We recommend that the position NFTs should not remain with the users.
The positions should belong to users via Krystal´s custom NFTs or with other kinds of validations (e.g. mappings), but the positions should strictly be managed by Krystal DeFi only.
By doing this, The Krystal DeFi can even perform a liquidity aggregation like the Sushi did in the past.
Assessed type
Other