search

sherlock-audit / 2024-05-elfi-protocol-judging

11 stars 7 forks source link

blackhole - The `redeemFee` is not properly deducted in `_executeRedeemStakeToken` Function #246

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 4 months ago

blackhole

Medium

The redeemFee is not properly deducted in _executeRedeemStakeToken Function

Summary

The _executeRedeemStakeToken function is used to redeem the stake token and transfer the fee to the fee receiver. However, the redeem fee is not properly deducted from the amount transferred to the user.

Vulnerability Detail

https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L176

    function _executeRedeemStakeToken(
        LpPool.Props storage pool,
        Redeem.Request memory params,
        address baseToken
    ) internal returns (uint256) {
        ...
        uint256 redeemFee = FeeQueryProcess.calcMintOrRedeemFee(cache.redeemTokenAmount, poolConfig.redeemFeeRate);
        FeeProcess.chargeMintOrRedeemFee(
            redeemFee,
            params.stakeToken,
            params.redeemToken,
            params.account,
            FeeProcess.FEE_REDEEM,
            false
        );
        VaultProcess.transferOut(
            params.stakeToken,
            params.redeemToken,
            params.receiver,
            cache.redeemTokenAmount - cache.redeemFee // @audit use redeemFee instead of cache.redeemFee
        );
        ...

As shown in the code snippet above, the redeemFee is calculated using the calcMintOrRedeemFee function. However, when transferring the redeemed tokens to the user, the function uses cache.redeemFee (which remains at 0) instead of the calculated redeemFee. This allows users to redeem stake tokens without actually paying the redeem fee.

Impact

This vulnerability enables users to redeem stake tokens without incurring the redeem fee, leading to potential financial losses for the platform.

Code Snippet

https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L176

Tool used

Manual Review

Recommendation

Update the function to use the correct redeemFee value instead of cache.redeemFee when transferring the redeemed tokens to the user.

Duplicate of #66