withdrawfee can be avoided by setting deviationBP as 0
Summary
Deposit and withdraws fee in all cases can be avoided by setting deviationBP as 0
In deposit and withdraw funciton in Dispatcher.sol deviationBP is send as an argument which can be set to 0.
Vulnerability Detail
function deposit(uint256 pid, uint256 amount, uint256 deviationBP) external checkPid(pid) {// @audit why letting user set ddeviationbp as it can be set to 0
karanctf
false
withdrawfee can be avoided by setting deviationBP as 0
Summary
Deposit and withdraws fee in all cases can be avoided by setting
deviationBP
as 0 In deposit and withdraw funciton in Dispatcher.sol deviationBP is send as an argument which can be set to 0.Vulnerability Detail
Impact
No fee will be paid causing loss for protocol
Code Snippet
https://github.com/sherlock-audit/2023-06-real-wagmi/blob/main/concentrator/contracts/Dispatcher.sol#L160 In withdrawFee function
Tool used
Manual Review
Recommendation
Prevent
deviationBP
to be set by user.