search

code-423n4 / 2024-06-krystal-defi-findings

0 stars 0 forks source link

The platform fees can be bypassed and the users can migrate to the other platforms #12

Closed c4-bot-9 closed 2 months ago

c4-bot-9 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/src/Common.sol#L104

Vulnerability details

Impact

Loss of future platform fees, business logic is broken

Proof of Concept

The platform fees can be bypassed as the fee collection structure is actually based on users´ click actions on the platform. It´s not enforced!

Fee collection is based on actions that the users can execute themselves by using the platforms (Uni & Algebra) that they have liquidity. They only need to pay the gas fees in that situation - nothing else. Applying fees for the flows that can be done in cheaper actions will cause the users to flee to the cheaper ones.

As per the contracts, the protocol´s max fee is 10% and these fees can be totally bypassed by setting 0 fees in V3Utils:

Contract: Common.sol

104:         _maxFeeX64[FeeType.PROTOCOL_FEE] = 1844674407370955264; // 10%

Even if it´s set to 1% later on (or even less), an adversary can anytime copy the Krystal Contracts (with their own settings), build a browser extension tool to interact with the copycat contracts and make the fees less - even 0 fee - and people can again use Krystal´s website to see their positions. In contrast, they interact with the less fee-structured contracts.

In this situation, the platform will only serve as a complimentary frontend, hence, the business logic will be broken.

Tools Used

Manual Review

Recommended Mitigation Steps

We recommend that the position NFTs should not remain with the users.

The positions should belong to users via Krystal´s custom NFTs or with other kinds of validations (e.g. mappings), but the positions should strictly be managed by Krystal DeFi only.

By doing this, The Krystal DeFi can even perform a liquidity aggregation like the Sushi did in the past.

Assessed type

Other

3docSec commented 2 months ago

Report of sufficient quality

c4-judge commented 2 months ago

3docSec marked the issue as satisfactory

c4-judge commented 2 months ago

3docSec marked the issue as selected for report

Haupc commented 2 months ago

We only charge fee with users who use our UI to execute txn

3docSec commented 2 months ago

Invalid: intended behavior

c4-judge commented 2 months ago

3docSec marked the issue as unsatisfactory: Invalid