search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

bin2chen - fund() fee token be locked #119

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

bin2chen

high

fund() fee token be locked

Summary

in MarketFactory.fund() the claimed protocolFee is stored in the contract. but no method is provided to withdraw it, resulting in a permanent lock.

Vulnerability Detail

in MarketFactory.fund() , it can claim protocolFee to MarketFactory.sol

contract MarketFactory is IMarketFactory, Factory {
.....
    function fund(IMarket market) external {
        if (!instances(IInstance(address(market)))) revert FactoryNotInstanceError();
@>      market.claimFee();
    }
contract Market is IMarket, Instance, ReentrancyGuard {
....
    function claimFee() external {
        Global memory newGlobal = _global.read();

@>      if (_claimFee(address(factory()), newGlobal.protocolFee)) newGlobal.protocolFee = UFixed6Lib.ZERO;
...
    }

From the above code, we can see that fund() will store the claim protocolFee in the contract. But the MarketFactory.sol contract doesn't provide any way to withdraw it, so it's permanently locked in the contract. Suggest fund() to transfer the fee Token directly to MarketFactory.owner().

Impact

reward token be locked

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial/contracts/MarketFactory.sol#L87-L90

Tool used

Manual Review

Recommendation

contract MarketFactory is IMarketFactory, Factory {
...
    function fund(IMarket market) external {
        if (!instances(IInstance(address(market)))) revert FactoryNotInstanceError();
        market.claimFee();
+       market.reward().push(owner());
    }

Duplicate of #52

sherlock-admin commented 1 year ago

1 comment(s) were left on this issue during the judging contest.

141345 commented:

d