Closed c4-bot-5 closed 2 months ago
3docSec marked the issue as satisfactory
3docSec marked the issue as selected for report
Report of sufficient quality
3docSec marked the issue as not selected for report
3docSec marked the issue as duplicate of #19
3docSec marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-06-krystal-defi/blob/f65b381b258290653fa638019a5a134c4ef90ba8/src/V3Utils.sol#L76-L107
Vulnerability details
Impact
Loss of protocol fees & funds
Proof of Concept
The fees are also passed in
execute
function as crafted inside theInstructions
struct calldata:So it´s possible to handcraft the fee as
0
in L:76 inside calldataIt will be executed in L: 105 if only it´s greater than
0
This leads to bypassing fees being deducted. And below snippet remains obsolete:
The same vulnerability is applicable to gas fees too:
And since this one is originated by the OPERATOR, the execution gas fees will be taken from the operator without it´s being paid by the user.
Tools Used
Manual Review
Recommended Mitigation Steps
The check should be as below with a range of fee limits:
Assessed type
Other