Closed sherlock-admin closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
0xAadi commented:
Invalid: The implementation is accurate, although the "@dev" comment appears to be a mistake.
as mentioned by 0xAadi, the implementation is accurate, but the comment is very missleading and invalid, it should be:
/// @dev Fee controller, that's intended to be called by reactors.
/// * By default applies constant 'baseFee' on output token.
/// * Dynamic pair-based fee can be enabled by calling 'setPairBasedFee'.
/// * Both dynamic and base fee can be disabled by setting 'applyFee' to true and the 'fee' value to 0.
thank_you
medium
Apply fee when false still adds a base fee
Summary
When a token pair's fee applyFee is set to false, then the RubiconFeeController will still apply a base fee to the feeAmount. This is in direct contradiction to the code comments which state:
Take note of the last line, which states that the dynamic and base fee can be disabled by setting applyFee to false.
Vulnerability Detail
The vulnerability has to do with a if statement called in getFeeOutputs(). This if statement applies a base fee when the applyFee is set to false:
The following spec test shows that a fee is applied when applyFee is set to false:
Impact
A base fee will be applied to a trade even if the applyFee is set to false. This can lead to users having to pay for a fee when applyFee is set to false.
Code Snippet
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/fee-controllers/RubiconFeeController.sol?plain=1#L12-L15
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/fee-controllers/RubiconFeeController.sol?plain=1#L81-L83
Tool used
Manual Review
Recommendation
When fee.applyFee is false, return order.outputs[i].amount.