Closed c4-bot-3 closed 2 months ago
Report of sufficient quality, provisionally marking as satisfactory
3docSec marked the issue as satisfactory
3docSec marked the issue as selected for report
Disputed, fees are to be communicated transparently on our docs, and could be verified anytime
Invalid: it's a missing feature rather than a vulnerability
3docSec marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/src/Common.sol#L103-L104
Vulnerability details
Impact
Users will lose their assets to the fees for the action that is not worth for it.
Proof of Concept
The Krystal DeFi applies only
one
type of fee for the protocol known as thePROTOCOL_FEE
.Currently, it´s set to max 10% as per the contracts while it can be changed anytime as the contracts have a setter for that.
The protocol has one protocol fee - not as granulated as
mintfee
,swap fee
,change liquidity fee
,collect fee
etc. The lack of projected fees leads to the users losing their funds to the protocol fees from their positions.Below you can see the logic of deducting fees.
As can be seen, the fees are taken even if the action is
COMPOUND_FEES
.E.g. Imagine the user has 100 ETH in their LP and they have executed the action as
COMPOUND_FEES
for the LP they have.The fee deduction will be more than the fees gained in the LP in this case due to having one fee type.
Imagine another user has 1000 ETH and changing their position from tick-x to tick-y Even if the fee is 1%, the protocol charges the user for 10 eth.
And If the user swaps 1000 eth, only 990 eth goes to swap - 10 eth is deducted for protocol.
However, if the swap has experienced slippage - there is always slippage - the user will swap 989 ETH (1 pct slippage) and 1 ETH will be refunded.
So there is also a hidden fee here by deducting the amount beforehand.
Example
For 1000 ETH, the platform had their 10 Eth fee, and the user has done only 989 ETH equivalent swap 1000 / 989 = 1.011 % So the hidden fee is 0.011% in 1% slippageTools Used
Manual Review
Recommended Mitigation Steps
Implement a fee tier where the users can actually benefit from using the protocol. E.g.:
Swap Fee: 0.03%
Mint Fee: 0.02%
Collect Fee: 0.01%
Assessed type
Other