In BoostCore the protocol will get more or less than the intended percentage of the ClaimFee
0xlookman
High
Summary
By default, the protocol is not supposed to get less than 10% of the claim fee of 0.000075 ether and this percentage can be increased by the Boost creator to a value between 10% - 100%. But the implementation of BoostCore::_routeClaimFee makes it that the protocol receives more or less than the intended percentage.
Vulnerability Detail
The claimFee is supposed to be divided between the boost owner, referrer and the protocol. The percentages of the referrer and the protocol are specified during the boost's creation but must not be lower than 10%.
/// @notice The base protocol fee (in bps)
uint64 public protocolFee = 1_000; // 10%
/// @notice The base referral fee (in bps)
uint64 public referralFee = 1_000; // 10%
But when distributing the fees during a claim in BoostCore::_routeClaimFee the protocol's percentage is not followed as it is divided by 2 on the remaining value after deducting the referrer's fees.
uint256 netFee = claimFee;
// If a referrer is provided, transfer the revshare and reduce the net fee
if (referrer_ != address(0)) {
uint256 referralShare = (claimFee * boost.referralFee) /
FEE_DENOMINATOR;
netFee -= referralShare;
referrer_.safeTransferETH(referralShare);
}
// The remaining fee is split between the owner and the protocol
boost.owner.safeTransferETH(netFee / 2);
protocolFeeReceiver.safeTransferETH(address(this).balance);
In this case when the `BoostCore::_routeClaimFee` divides the fee every one gets:
Protocal gets 0.00003375 ether
Refferal gets 0.0000075 ether
BoostOwnwer gets 0.00003375 ether
The real amounts they were supposed to receive based on the percentages:
Protocal should get 0.0000375 ether
Refferal should get 0.00000075 ether
BoostOwnwer should get 0.00003 ether
Here the protocal loses 0.00000375 ether while the owner gets 0.00000375 ether more than he should.
In this case when the `BoostCore::_routeClaimFee` divides the fee every one gets:
Protocal = 0.000037125 ether
Refferal = 0.00000075 ether
BoostOwnwer = 0.000037125 ether
The real amounts they were supposed to receive based on the percentages:
Protocal should get 0.0000225 ether
Refferal should get 0.00000075 ether
BoostOwnwer should get 0.000045 ether
Here the Boost owner loses 0.0000014625 ether while the protocol gets 0.0000014625 ether more he should.
Impact
Loss of fees to both owner and the protocol due to the unfollowed percentage distribution specified during initialization.
0xlookman
High
In
BoostCorethe protocol will get more or less than the intended percentage of theClaimFee0xlookman
High
Summary
By default, the protocol is not supposed to get less than 10% of the claim fee of
0.000075ether and this percentage can be increased by the Boost creator to a value between 10% - 100%. But the implementation ofBoostCore::_routeClaimFeemakes it that the protocol receives more or less than the intended percentage.Vulnerability Detail
The
claimFeeis supposed to be divided between the boost owner, referrer and the protocol. The percentages of the referrer and the protocol are specified during the boost's creation but must not be lower than 10%.Boost creators can increase these percentages during Boost creation.
But when distributing the fees during a claim in
BoostCore::_routeClaimFeethe protocol's percentage is not followed as it is divided by 2 on the remaining value after deducting the referrer's fees.Proof of concept
Let's consider two scenarios: Scenario A: Boost.protocalFee = 5000(50%) Boost.referralFee = 1000(10%)
Scenario B: Boost.protocalFee = 3000(30%) Boost.referralFee = 1000(10%)
Impact
Loss of fees to both owner and the protocol due to the unfollowed percentage distribution specified during initialization.
Code Snippet
Tool used
Manual Review
Recommendation
Implement the
BoostCore::_routeClaimFeein such a way that it follows the given percentages whereby each party receives the intended amount.