Open hats-bug-reporter[bot] opened 1 week ago
It's intended design. Protocol or team does not collect deposit fees, they are naturally deducted if necessary (e.g. bridging fees).
For most LST minters deposit fees are 0. If it's sidechain LST deployment (e.g. https://accumulated.finance/stake/vlx/#bnb), tokens are automatically bridged to the destination chain and bridge fee is applied:
function deposit(uint256 amount, address receiver) public override nonReentrant {
require(amount > 0, "ZeroDeposit");
uint256 mintAmount = previewDeposit(amount);
require(mintAmount > 0, "ZeroMintAmount");
baseToken.safeTransferFrom(address(msg.sender), address(this), amount);
baseTokenERC677.transferAndCall(address(bridge), amount, abi.encodePacked(destination));
stakingToken.mint(receiver, mintAmount);
emit Deposit(address(msg.sender), receiver, amount);
}
In this example, user deposits 100 VLX, receives 99.9 stVLX. 100 VLX is sent to the bridge, and 99.9 VLX received on the destination chain and then staked.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x017dffd99902155af2700a14f8e27b74075509538389699da72d08cc2cd608cb Severity: high
Description: Description\ Protocol is expected to charge the deposit, withdraw and redeem fee which is capped as maximum depending on fee.
500
BPS would be maximum fee which can be charged in case of Deposits, Withdrawals andRedeem
of tokens.The issue is about failure in withdrawing the deposit fee to protocol's receiver address i.e loss of deposit fee which is also loss of additional revenue.
stROSEMinter.sol
is the main contract which inheritsNativeMinterWithdrawal
fromMinter.sol
contract and further inheritance as follows:NativeMinterWithdrawal.sol
inherits `NativeMinterWithdrawal.sol
inheritsNativeMinter
contract which has deposit and withdraw functions and these are implemented as:Below is the expected functionality of deposit():
1) The user deposits native ROSE token by calling
deposit()
function. To be noted, this would be directly accessible atstROSEMinter
contract due to inheritance of contracts.2) Contract will deduct fee by calculating via
previewDeposit()
function. Theamount - fee
will bemintAmount
and thismintAmount
will be minted asstROSE
token toreceiver
address.Below is the expected functionality of withdraw():
1) Whenever the deposit fee is paid by users to contract then owner is expected to withdraw the fee by calling
withdraw()
function. This action by owner will transfer all native ROSE token to owner's receiver address i.e all deposit fee would be transferred.NOW, the issue is since
stROSEMinter.sol
follows multiple contracts inheritance which is detailed above, thewithdraw()
function will always revert. This is due towithdraw()
is overridden instROSEMinter
contract which is implemented as below:Therefore, any deposit fee paid by users while depositing ROSE token wont be withdrawable to owner's receiver address. This is due to lack of deposit fee withdrawal functionality.
It should be noted that, deposit fee is not tracked which is different issues and it can be mitigated with this issue.
Impact\ Loss of revenue to protocol due to permanent lock of deposit fees. Therefore, high severity issue.
Recommendations\ Suggest to implement
collectDepositFees()
where totalDepositFee should also be tracked, similar tocollectWithdrawalFees()
Consider implementing following changes in
NativeMinter.sol
contract:This function would be accessible at
stROSEMinter
due to inheritance withNativeMinter
contract.