Closed sherlock-admin closed 1 year ago
ak1
medium
minRequiredDeposit(_assets)
deposit
depositETH
Carousel.sol has two types of fee, 1.)relayerFee ( should be relayerFee < 10000). 2.) depositFee ( should be depositFee > 250)
Carousel.sol
1.)relayerFee ( should be relayerFee < 10000)
2.) depositFee ( should be depositFee > 250)
relayer fee is used in que based deposit whereas deposit fee is used in direct deposit of assets.
relayer fee
deposit fee
Using the realer fee to decide the direct deposit could be incorrect.
when we see the deposit and depositETH functions, both are having minRequiredDeposit(_assets) modifier which has the relayer fee based condition,
modifier minRequiredDeposit(uint256 _assets) { if (_assets < relayerFee) revert MinDeposit(); _; }
when we look at the _deposit, ti has the _calculateFeePercent to calculate fee incase deposit fee is greater than zero.
_calculateFeePercent
inside the function _calculateFeePercent, deposit fee is used to calculate the fee.
function _calculateFeePercent(int256 minX, int256 maxX) internal view returns (uint256 _y) { /** * Two Point Form * https://www.cuemath.com/geometry/two-point-form/ * https://ethereum.stackexchange.com/a/143172 */ // minY will always be 0 thats why is (maxY - minY) shorten to maxY int256 maxY = int256(depositFee) * int256(FixedPointMathLib.WAD); -----------------> audit find _y = uint256( // cast to uint256 ((((maxY) / (maxX - minX)) * (int256(block.timestamp) - maxX)) + maxY) / (int256(FixedPointMathLib.WAD)) // two point math // scale down ); }
Incorrect fee value is used to decide the deposit and depositETH. when we look at the the below check in constructor,
if (_data.relayerFee < 10000) revert RelayerFeeToLow(); if (_data.depositFee > 250) revert BPSToHigh();
having the check < 10000 for relayerr fee, the condition for deposit fee is violated.
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L78-L118
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L470-L489
Manual Review
Use another modifier like deposit fee based, to decide the minimum deposit for direct deposit such as deposit and depsoitETH
ak1
medium
Carousel.sol : Incorrect fee is used in
minRequiredDeposit(_assets)used fordepositanddepositETHSummary
Carousel.solhas two types of fee,1.)relayerFee ( should be relayerFee < 10000).2.) depositFee ( should be depositFee > 250)relayer feeis used in que based deposit whereasdeposit feeis used in direct deposit of assets.Using the realer fee to decide the direct deposit could be incorrect.
Vulnerability Detail
when we see the deposit and depositETH functions, both are having
minRequiredDeposit(_assets)modifier which has the relayer fee based condition,when we look at the _deposit, ti has the
_calculateFeePercentto calculate fee incase deposit fee is greater than zero.inside the function
_calculateFeePercent, deposit fee is used to calculate the fee.Impact
Incorrect fee value is used to decide the deposit and depositETH. when we look at the the below check in constructor,
having the check < 10000 for relayerr fee, the condition for deposit fee is violated.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L78-L118
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L470-L489
Tool used
Manual Review
Recommendation
Use another modifier like deposit fee based, to decide the minimum deposit for direct deposit such as deposit and depsoitETH