search

hats-finance / Intuition-0x538dbadc50cc87b281cd655f1edbc6ebda02a66a

The smart contracts of the Intuition protocol v1.
https://intuition.systems
Other
0 stars 1 forks source link

Users can avoid `protocolDepositFee` #29

Open hats-bug-reporter[bot] opened 4 months ago

hats-bug-reporter[bot] commented 4 months ago

Github username: @0x3b33 Twitter username: -- Submission hash (on-chain): 0xba85a85b151173793b93877c70986ecec1421efb49e866cddb10d45e98892c89 Severity: medium

Description: Description\ On Atom wallet creation (inside _createAtom), users can avoid the protocolDepositFee by simply sending enough funds to cover only the atomCost. This allows users to avoid paying protocol fees, reducing the protocol's profits.

Attack Scenario\

  1. Alice creates an Atom wallet with 1 ETH.
  2. She pays 0.1 ETH for the creation and 10% of the deposit as a protocol fee (0.9 ETH).
  3. Bob creates an Atom wallet with 0.1 ETH and only pays the creation fee, which covers the transaction executor's gas costs, without paying any protocol fees.

Attachments\ Charge a fixed fee or require a minimum deposit for wallet creation.

mihailo-maksa commented 4 months ago

This report is based on a misunderstanding of the protocol's fee structure:

  1. Fixed and Proportional Fees: The protocol charges both a fixed creation fee (atomCreationProtocolFee) and a proportional fee (protocolFee). If a user sends only the atom cost, they avoid the proportional fee by design. This incentivizes smaller deposits and aligns with our fee structure.
  2. User Flexibility: Allowing users to choose their deposit amount, subject to fixed fees, provides flexibility and encourages protocol use without unnecessary financial burden.

In conclusion, the fee structure works as intended, providing a balanced approach to cost and incentive. Therefore, this issue is invalid.