search

code-423n4 / 2024-06-vultisig-findings

2 stars 0 forks source link

The fees for the `FEE_TAKER` are not calculated correctly in the [ILOPool.claim](https://github.com/code-423n4/2024-06-vultisig/blob/0957ff9e50441cd6de6b4f6e28c7ea93f5cffa85/src/ILOPool.sol#L184-L261) function #216

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/0957ff9e50441cd6de6b4f6e28c7ea93f5cffa85/src/ILOPool.sol#L184-L261

Vulnerability details

Impact

When position owners claim their rewards, fees are sent to the FEE_TAKER. However, it is not calculated correctly and larger amount of tokens are sent to the FEE_TAKER. As a result, some claimers can't claim their rewards due to lack of tokens in ILOPool.

Proof of Concept

Position owners can claim their rewards by calling the claim function. The amount of fees that FEE_TAKER receives are intended to be the sum of platform fee and protocol fee.

                 // get amount of token0 and token1 after deduct platform fee
208              (amount0, amount1) = _deductFees(amount0, amount1, _project.platformFee);
                 ...
                 // amount of fees after deduct performance fee
227              (fees0, fees1) = _deductFees(fees0, fees1, _project.performanceFee);

From the codebase, the amount of fees that FEE_TAKER receives amountCollected0-amount0 of token0 and amountCollected1-amount1 of token1.

257          address feeTaker = IILOManager(MANAGER).FEE_TAKER();
258          // transfer fee to fee taker
259          TransferHelper.safeTransfer(_cachedPoolKey.token0, feeTaker, amountCollected0-amount0); //audit-issue 
260          TransferHelper.safeTransfer(_cachedPoolKey.token1, feeTaker, amountCollected1-amount1); //audit-issue

Here, the variables amountCollected0 and amountCollected1 represents the collected amount of tokens generated by the position that ILOPool holds on Uniswap V3.

242      (uint128 amountCollected0, uint128 amountCollected1) = pool.collect(
             address(this),
             TICK_LOWER,
             TICK_UPPER,
             type(uint128).max,
             type(uint128).max
         );

Since ILOPool collects fee from Uniswap V3 with the liquidation of the whole position is used, the amount of fees transferred to the FEE_TAKER is larger than the sum of platform fee and performance fee. As a result, less tokens will remain in ILOPool and some claimers can't claim their rewards.

Tools Used

Manual Review

Recommended Mitigation Steps

The amount of tokens that is expected to be transferred to the FEE_TAKER should be the sum of platform fee and performance fee.

Assessed type

Other

c4-judge commented 4 months ago

alex-ppg marked the issue as duplicate of #43

c4-judge commented 4 months ago

alex-ppg marked the issue as satisfactory