search

sherlock-audit / 2023-12-dodo-gsp-judging

6 stars 5 forks source link

Angry_Mustache_Man - Fee amount charged by the Protocol can be circumvented for low-decimal Stablecoins #144

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 9 months ago

Angry_Mustache_Man

medium

Fee amount charged by the Protocol can be circumvented for low-decimal Stablecoins

Summary

When Quote token is a low-decimal ERC20 Stablecoin , the fee collected by the protocol in GSPTrader.sol#querySellBase can be circumvented to 0 for smaller deposits.

Vulnerability Detail

Let's consider the example where Base Token is USDC and Quote Token is a token like GeminiUSD which is a token with 300M+ market cap, which is widely used StableCoin. Now see this piece of code:

 function querySellBase(address trader, uint256 payBaseAmount)
        public
        view
        returns (
            uint256 receiveQuoteAmount,
            uint256 mtFee,
            PMMPricing.RState newRState,
            uint256 newBaseTarget
        )
    {
        PMMPricing.PMMState memory state = getPMMState();
        (receiveQuoteAmount, newRState) = PMMPricing.sellBaseToken(state, payBaseAmount);

        uint256 lpFeeRate = _LP_FEE_RATE_;
        uint256 mtFeeRate = _MT_FEE_RATE_;
 @>  mtFee = DecimalMath.mulFloor(receiveQuoteAmount, mtFeeRate);
        receiveQuoteAmount = receiveQuoteAmount
 @>       - DecimalMath.mulFloor(receiveQuoteAmount, lpFeeRate)
            - mtFee;
        newBaseTarget = state.B0;
    }

Let's say the mtFeeRate is about 1% and let's say an amount of 8 DAI(8e18) has been put to sale which would give the receiveQuoteAmount to be about 7.8 GeminiUSD(7.8e2). In this case the fee calculated will be round to zero.

Impact

The protocol doesn't collect fees from Vaults with low decimal StableCoin as the Quote Tokens .

Code Snippet

https://github.com/sherlock-audit/2023-12-dodo-gsp/blob/main/dodo-gassaving-pool/contracts/GasSavingPool/impl/GSPTrader.sol#L224C3-L244C6

Tool used

Manual Review

Recommendation

Consider adding zero checks for these cases and if the fee circumvents to 0,then use a constant fee for those cases

nevillehuang commented 9 months ago

Invalid, mtFeeRate is in 18 decimals. From the example given, 1% will represent 1e16, so 7,8e2 * 1e16 / 1e18 will not round down to zero. Additionally, GEMINIUSD is likely not supported since it is a token of non-standard behavior with 2 decimals place not explicitly mentioned. For USDC and USDT, it is unilikely to round down given the extremely minute amounts required as they are both scaled to 6 decimals.