Closed sherlock-admin2 closed 1 week ago
Escalate
Quoting the sponsor's comments:
transfer_private requires a fee at the consensus layer & split doesn't require a fee at the consensus layer (split is the only function that does not, every other function on every other program requires a fee). transfer_private does not require a fee natively in the credits.aleo program and split charges a fee natively in the credits.aleo program.
It can be seen that verify.rs does not handle the issue of credits.aleo::split
fees. When a user calls credits.aleo::split
, it only deducts the corresponding funds from the caller's credit, and does not update the account information of the fee collector, which results in the loss of funds.
Quoting the sponsor's comments again:
By default in Aleo, base fees are burned for all transactions ie the supply decreases by the base fee amount.
Even if the fee is reduced directly as mentioned in the comments, this operation should be synchronized to the total supply, but there is still no relevant operation here. The internal fund account also faces problems
Escalate
Quoting the sponsor's comments:
transfer_private requires a fee at the consensus layer & split doesn't require a fee at the consensus layer (split is the only function that does not, every other function on every other program requires a fee). transfer_private does not require a fee natively in the credits.aleo program and split charges a fee natively in the credits.aleo program.
It can be seen that verify.rs does not handle the issue of
credits.aleo::split
fees. When a user callscredits.aleo::split
, it only deducts the corresponding funds from the caller's credit, and does not update the account information of the fee collector, which results in the loss of funds.Quoting the sponsor's comments again:
By default in Aleo, base fees are burned for all transactions ie the supply decreases by the base fee amount.
Even if the fee is reduced directly as mentioned in the comments, this operation should be synchronized to the total supply, but there is still no relevant operation here. The internal fund account also faces problems
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
I don't understand what the escalation is for. Is it to remove the duplication?
I don't understand what the escalation is for. Is it to remove the duplication?
Hello sir, I think I expressed two different meanings. #17
is whether the user has the motivation to call, and #18
is the issue of fund handling after the call.
Related to my comment in #17.
No fees in Aleo have a recipient. All fees are burned (whether they are split
program fees or fees in fee commitments). You are correct that this reduces overall supply. This is known and by design. Supply is decreased by all fees on every transaction and are increased by block rewards to validators and provers. This is not a security issue. It actually makes the Aleo's economics more secure because it prevents collusion between validators running up the min priority fees. This is similar to how Ethereum's eip-1559 works except Aleo burns the entire fee instead of just part of it.
Related to my comment in #17.
No fees in Aleo have a recipient. All fees are burned (whether they are
split
program fees or fees in fee commitments). You are correct that this reduces overall supply. This is known and by design. Supply is decreased by all fees on every transaction and are increased by block rewards to validators and provers. This is not a security issue. It actually makes the Aleo's economics more secure because it prevents collusion between validators running up the min priority fees. This is similar to how Ethereum's eip-1559 works except Aleo burns the entire fee instead of just part of it.
I'm not sure if I should agree with this statement. If so, I will raise another question. The report #31mentioned that some problems will occur when the validator and the delegator use the same withdrawal address. In other words, should this be the user's own problem? Consider a scenario where credits.aleo::split
and credits.aleo::transfer_private
can achieve the same effect, but the fees are different. Then user A uses credits.aleo::split
to split and user B uses credits.aleo::transfer_private
to split, then A pays twice the cost of B. Should this be counted as a loss for user A? Because A doesn't know, right?
except Aleo burns the entire fee instead of just part of it
We should question unreasonable handling methods, of course we can't be sure whether this will have an impact in the future, so I just hope to get more clues. Finally, I accept all the decisions of the judge.There is nothing to argue about, leave it to the judge.
Based on this comment, I believe this issue is invalid. The fees shouldn't be sent to any address, they're burnt, which is why fee-related methods don't update the recipient's account information.
Planning to reject the escalation and leave the issue as it is.
Result: Invalid Duplicate of #17
joicygiore
Medium
Fee related methods only update the fee payer's account information, and do not update the recipient's account information.
Summary
1.Each call to
credits.aleo::split
will lose 10_000u64 of microcredits 2.credits.aleo::fee_public
andcredits.aleo::fee_private
are missing fee recipients, causing fees to be lostVulnerability Detail
credits.aleo::split
Looking at the
credits.aleo::split
function, we can see that the function splitsinput r0 as credits.record;
into two newcredits.record
. However, the deducted10_000u64
is not credited to any account orcredits.record
, which results in the loss of10_000u64
every time the method is calledcredits.aleo::fee_public
andcredits.aleo::fee_private
credits.aleo::fee_public
only updates the sender's account information, but not the recipient's information, resulting in fee loss, and does not check and record the relevant information ofdeployment or execution ID
.The
credits.aleo::fee_private
method only returns thecredits.record
after deducting the fee, and does not process the account information of the fee recipient (or output the correspondingcredits.record
), resulting in the loss of fees, and does not check and record the relevant information of thedeployment or execution ID
.Impact
1.Each call to
credits.aleo::split
will lose 10_000u64 of microcredits 2.credits.aleo::fee_public
andcredits.aleo::fee_private
are missing fee recipients, causing fees to be lostCode Snippet
https://github.com/sherlock-audit/2024-05-aleo/blob/55b2e4a02f27602a54c11f964f6f610fee6f4ab8/snarkVM/synthesizer/program/src/resources/credits.aleo#L947-L972 https://github.com/sherlock-audit/2024-05-aleo/blob/55b2e4a02f27602a54c11f964f6f610fee6f4ab8/snarkVM/synthesizer/program/src/resources/credits.aleo#L1005-L1035 https://github.com/ProvableHQ/snarkVM/blob/a3c9403a581ab03be3fdd075860e815c72e35065/synthesizer/program/src/resources/credits.aleo#L976-L1000
Tool used
Manual Review
Recommendation
we should consider crediting this portion of
microcredits
to an address. For example:credits.aleo::split
credits.aleo::fee_public
Duplicate of #17