XO-computeFee function allows attacker to avoid paying fees
Summary
The vulnerability in the computeFee function allows an attacker to avoid paying fees. Thie vulnerability occurs when the takerFee is set to zero. The attacker can exploit this bug by sending a transaction that sets the takerFee to zero. This will cause the computeFee function to return a zero fee, which will allow the attacker to avoid paying fees for their trades.
- The vulnerability is exist in the `computeFee` function, so the problem is that there is line that calculates the taker fee, it does not take into account the fact that the `takerFee` can be zero. If the `takerFee` is zero, then the `takerNotional` will be multiplied by zero, which will result in a zero fee.
-This vulnerability could be exploited by an attacker to avoid paying fees. For example, the attacker could send a transaction that sets the `takerFee` to zero. This would cause the `computeFee` function to return a zero fee, which would allow the attacker to avoid paying fees for their trades.
## Impact
- The vulnerability allows an attacker to avoid paying fees, which leading in financial losses.
## Code Snippet
- https://github.com/sherlock-audit/2023-05-perennial/blob/main/perennial-mono/packages/perennial/contracts/interfaces/types/PrePosition.sol#L107C6-L122C1
## Tool used
Manual Review
## Recommendation
- The `takerFee` variable should be checked to make sure it is not zero. If it is zero, then the `takerNotional` should be multiplied by zero instead of the `takerFee.`
XDZIBEC
high
XO-
computeFee
function allows attacker to avoid paying feesSummary
The vulnerability in the
computeFee
function allows an attacker to avoid payingfees.
Thie vulnerability occurs when thetakerFee
is set to zero. The attacker can exploit this bug by sending a transaction that sets thetakerFee
to zero. This will cause thecomputeFee
function to return a zero fee, which will allow the attacker to avoid paying fees for theirtrades.
Vulnerability Detail