BunnySupply missing accumulated fees in Protocol Owned Liquidity(aka POL) calculation
Summary
In getProtocolOwnedLiquidityOhm function of BunniSupply smart contract, it does not calculate fee as POL.
Vulnerability Detail
Fees generated by trading on UniswapV3 pools have to be calculated as Protocol Owned Liquidity, because OHM pools are owned by Olympus protocol.
Also, it calculates fee as protocol owned liquidity in reserves calculation but it's missing in getProtocolOwnedLiquidityOhm.
In getProtocolOwnedLiquidityOhm:
total += _getOhmReserves(key, lens); // Only calculates tokens for liquidity
In getProtocolOwnedLiquidityReserves:
(
address token0,
address token1,
uint256 reserve0,
uint256 reserve1
) = _getReservesWithFees(key, lens); // Includes fee as well
Impact
Leads to incorrect OHM supply calculation even though trading fees clearly belong to Protocol Owned Liquidity.
KupiaSec
medium
BunnySupply missing accumulated fees in Protocol Owned Liquidity(aka POL) calculation
Summary
In
getProtocolOwnedLiquidityOhm
function ofBunniSupply
smart contract, it does not calculate fee as POL.Vulnerability Detail
Fees generated by trading on UniswapV3 pools have to be calculated as Protocol Owned Liquidity, because OHM pools are owned by Olympus protocol. Also, it calculates fee as protocol owned liquidity in reserves calculation but it's missing in
getProtocolOwnedLiquidityOhm
.In
getProtocolOwnedLiquidityOhm
:In
getProtocolOwnedLiquidityReserves
:Impact
Leads to incorrect OHM supply calculation even though trading fees clearly belong to Protocol Owned Liquidity.
Code Snippet
https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/SPPLY/submodules/BunniSupply.sol#L188 https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/SPPLY/submodules/BunniSupply.sol#L399-L409
Tool used
Manual Review
Recommendation
getProtocolOwnedLiquidityOhm
function should return the sum of reserves and fees.Duplicate of #49