FeeManager_v1 relies on the function selector to correctly guess the return the fees for that specific function and module.
The issue is that _getFunctionFeesAndTreasuryAddresses is called with the incorrect function selector.
The protocol uses:
bytes4(keccak256(bytes("_sellOrder(address, uint, uint)"))) = 0x668a3242,
While the actual selector should be:
bytes4(keccak256(bytes("_sellOrder(address,uint256,uint256)"))) = 0x2f4c0892.
The second one is the correct one, as _sellOrder function selector is exacltly 0x2f4c0892.
If we assume that the owner of setCollateralWorflowFee correctly uses the 0x2f4c0892 selector, then _sellOrder won't work correctly as getCollateralWorkflowFeeAndTreasury will incorrectly return defaultCollateralFee instead of the real workflow fee that was set.
Attack Scenario\
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Compute the function selector correctly:
bytes4(keccak256(bytes("_sellOrder(address,uint256,uint256)")));
Github username: -- Twitter username: @EgisSec Submission hash (on-chain): 0xd0367377ae90fc3f5fe8864c5fef13598fefaff2c95ff08061700b1e51f78aef Severity: low
Description: Description\
RedeemingBondingCurveBase_v1
uses_getFunctionFeesAndTreasuryAddresses
to get fee percentages from theFeeManager_v1
.FeeManager_v1
relies on the function selector to correctly guess the return the fees for that specific function and module.The issue is that
_getFunctionFeesAndTreasuryAddresses
is called with the incorrect function selector.The protocol uses:
bytes4(keccak256(bytes("_sellOrder(address, uint, uint)"))) = 0x668a3242
,While the actual selector should be:
bytes4(keccak256(bytes("_sellOrder(address,uint256,uint256)"))) = 0x2f4c0892
.The second one is the correct one, as
_sellOrder
function selector is exacltly0x2f4c0892
.If we assume that the owner of
setCollateralWorflowFee
correctly uses the0x2f4c0892
selector, then_sellOrder
won't work correctly asgetCollateralWorkflowFeeAndTreasury
will incorrectly returndefaultCollateralFee
instead of the real workflow fee that was set.Attack Scenario\
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
Compute the function selector correctly:
bytes4(keccak256(bytes("_sellOrder(address,uint256,uint256)")));