SBSecurity - `Allo.sol` feeAmount will round down to 0 when user calls `fundPool()` with small amount

[sherlock-admin2]

SBSecurity

medium

Allo.sol feeAmount will round down to 0 when user calls fundPool() with small amount

Allo won’t charge fee for fund small amounts.

Vulnerability Detail

Allo.sol takes a fee when it funds a pool via _fundPool(), and the fee is applied based on the percentFee. The variable is represented in e18 format as specified in the code.

How the percentage is represented in our contracts: 1e18 = 100%, 1e17 = 10%, 1e16 = 1%, 1e15 = 0.1%

So if Allo is, say, with 1e15 (0.1%), we need to pass at least 1000 as an amount in order for Allo to take a fee, any other numbers below that will round the calculation of fee Amount to 0.

No matter what percentFee is currently set. The amount when fund a pool, must be -

`1e18 / percentFee* or *1e(18 - percentFee decimals)`*

Impact

The user can call fundPool() with a small amount many times and Allo will never take any fees.

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/6430c8004017e96ae2f5aac365bdefd0b6eeea72/allo-v2/contracts/core/Allo.sol#L496-L520

Tool used

Manual Review

Recommendation

Use other percentFee representation.

Duplicate of #198

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

n33k commented:

bypassing of fee is an acceptable risk