search

sherlock-audit / 2023-11-olympus-judging

9 stars 8 forks source link

KupiaSec - BunnySupply missing accumulated fees in Protocol Owned Liquidity(aka POL) calculation #128

Closed sherlock-admin2 closed 9 months ago

sherlock-admin2 commented 9 months ago

KupiaSec

medium

BunnySupply missing accumulated fees in Protocol Owned Liquidity(aka POL) calculation

Summary

In getProtocolOwnedLiquidityOhm function of BunniSupply smart contract, it does not calculate fee as POL.

Vulnerability Detail

Fees generated by trading on UniswapV3 pools have to be calculated as Protocol Owned Liquidity, because OHM pools are owned by Olympus protocol. Also, it calculates fee as protocol owned liquidity in reserves calculation but it's missing in getProtocolOwnedLiquidityOhm.

In getProtocolOwnedLiquidityOhm:

total += _getOhmReserves(key, lens); // Only calculates tokens for liquidity

In getProtocolOwnedLiquidityReserves:

(
    address token0,
    address token1,
    uint256 reserve0,
    uint256 reserve1
) = _getReservesWithFees(key, lens); // Includes fee as well

Impact

Leads to incorrect OHM supply calculation even though trading fees clearly belong to Protocol Owned Liquidity.

Code Snippet

https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/SPPLY/submodules/BunniSupply.sol#L188 https://github.com/sherlock-audit/2023-11-olympus/blob/9c8df76dc9820b4c6605d2e1e6d87dcfa9e50070/bophades/src/modules/SPPLY/submodules/BunniSupply.sol#L399-L409

Tool used

Manual Review

Recommendation

getProtocolOwnedLiquidityOhm function should return the sum of reserves and fees.

Duplicate of #49

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

nirohgo commented:

Duplicate of 132