RedeemingBondingCurveBase_v1.sol - Computes function selector incorrectly

[hats-bug-reporter[bot]]

Github username: -- Twitter username: @EgisSec Submission hash (on-chain): 0xd0367377ae90fc3f5fe8864c5fef13598fefaff2c95ff08061700b1e51f78aef Severity: low

Description: Description\ RedeemingBondingCurveBase_v1 uses _getFunctionFeesAndTreasuryAddresses to get fee percentages from the FeeManager_v1.

// Get protocol fee percentages and treasury addresses
        (
            address collateralTreasury,
            address issuanceTreasury,
            uint collateralBuyFeePercentage,
            uint issuanceBuyFeePercentage
        ) = _getFunctionFeesAndTreasuryAddresses(
            bytes4(keccak256(bytes("_buyOrder(address, uint, uint)")))
        );

FeeManager_v1 relies on the function selector to correctly guess the return the fees for that specific function and module.

The issue is that _getFunctionFeesAndTreasuryAddresses is called with the incorrect function selector.

The protocol uses: bytes4(keccak256(bytes("_sellOrder(address, uint, uint)"))) = 0x668a3242,

While the actual selector should be: bytes4(keccak256(bytes("_sellOrder(address,uint256,uint256)"))) = 0x2f4c0892.

The second one is the correct one, as _sellOrder function selector is exacltly 0x2f4c0892.

If we assume that the owner of setCollateralWorflowFee correctly uses the 0x2f4c0892 selector, then _sellOrder won't work correctly as getCollateralWorkflowFeeAndTreasury will incorrectly return defaultCollateralFee instead of the real workflow fee that was set.

Attack Scenario\

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

Compute the function selector correctly: bytes4(keccak256(bytes("_sellOrder(address,uint256,uint256)")));

[0xdeth]

I forgot to add that this will also retrieve the incorrect issuance fee.

This also happens in calculateSaleReturn.

[0xmahdirostami]

thanks @PlamenTSV