search

hats-finance / Common--Stableswap-0xd4d9a2772202ce33b24901d3fc94e95a84b37430

Apache License 2.0
0 stars 0 forks source link

fee_receiver : the fees are calculated even if `the fee_receiver` is not yet set #17

Open hats-bug-reporter[bot] opened 1 month ago

hats-bug-reporter[bot] commented 1 month ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x7c33f383d6971f20867127ee7724290da60618de5178ee4466223ebb1d0e5771 Severity: medium

Description: Description

there are following fee are availavle - trade_fee and protocol_fee. when a stable pool is created, the fee_receiver and these fee would be set. There are no validation for the fee_receiver account. the pool is created.

mint_protocol_fee is done when _swap_exact_in and _swap_exact_out - these two functions caulcates the fee and call the mint_protocol_fee to mint the fee.

if we check the mint_protocol_fee function, it checks whetehr there is valid fee_receiver or not. Refer here

Since there were no validation for fee_receiver when creating pool and the fee_receiver is validdated when minting fee, we can assume that there are possiblityes that the fee_receiver would be zero account.

The same can be seen in the add_liquidity function where the fee amount is calculated first and then the fee_receiver is validated to mint fee.

so, if fee_receiver is not set when creating the pool, whenever user add liqudity or swap, the fee is calculated on the input amount and left without use.

if we see the function set_fee_receiver , there also the valid account is not checked. but when minting fee, the account is validate. this implies that the owner would plan to remove fee fully at some time or when needed to attract the user.

Impact

Fee amonunt will not be accounted when the fee_receiver is not set and planned to set after the pool creation done.

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

whenever fee amount is computed on the input amount, check for valid fee receiver

JanKuczma commented 1 month ago

Thank you for your submission.

When fee_receiver is set to None it means that protocol_fee is not accounted for. In this case, all the trade_fee goes to the pool, for the benefit of the LP providers.

About the zero address. The zero address in Substrate based chains is not the same as in EVM chains. There is no guarantee that the private key for the zero address is not known because the Substrate based chains use sr25519 and ed25519. Here is the more detailed explanation why this is the case.