Boost Creators can prevent the protocol from getting the Default 10% of the claim fee its supposed to receive
0xlookman
High
Summary
By default, the protocol is supposed to receive at least 10% of the claimfee during a claim but malicious boost creators can prevent this by setting the referral fee percentage to a value between 90 - 100% of the claim fee.
Vulnerability Detail
The protocal is supposed to receive at least 10% as the base percentage of the claimFee and this is imposed during boost creation where the base percentage is added to the value provided in the parameters.
But a boost creator can prevent this from happening by setting the referral percentage to a percentage greater than 90%.
According to the logic in BoostCore::_routeClaimFee by diving the remaining 10% of the claim fee will leave the protocol with something less than 5%of the claim fee making the protocol get something less than the default hence breaking the protocol's invariant.
Since the referral fee is sent first, the protocol will receive a very small percentage than intended.
// If a referrer is provided, transfer the revshare and reduce the net fee
if (referrer_ != address(0)) {
uint256 referralShare = (claimFee * boost.referralFee) /
FEE_DENOMINATOR;
netFee -= referralShare;
referrer_.safeTransferETH(referralShare);
}
During boost creation when setting up percentages, add checks to ensure that when you add both the protocol fee percentage and that of the referral, they do not exceed 100%(10000) and the protocol will get something greater or equal to 10%.
0xlookman
High
Boost Creators can prevent the protocol from getting the Default 10% of the claim fee its supposed to receive
0xlookman
High
Summary
By default, the protocol is supposed to receive at least 10% of the
claimfeeduring a claim but malicious boost creators can prevent this by setting the referral fee percentage to a value between 90 - 100% of the claim fee.Vulnerability Detail
The protocal is supposed to receive at least 10% as the base percentage of the
claimFeeand this is imposed during boost creation where the base percentage is added to the value provided in the parameters.https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L121
But a boost creator can prevent this from happening by setting the referral percentage to a percentage greater than 90%.
According to the logic in
BoostCore::_routeClaimFeeby diving the remaining 10% of the claim fee will leave the protocol with something less than 5%of the claim fee making the protocol get something less than the default hence breaking the protocol's invariant.Since the referral fee is sent first, the protocol will receive a very small percentage than intended.
Impact
Breaks an important invariant of the protocol and protocol's loss of funds. The protocol gets a fee smaller than the default it's supposed to receive.
Code Snippet
Tool used
Manual Review
Recommendation
During boost creation when setting up percentages, add checks to ensure that when you add both the protocol fee percentage and that of the referral, they do not exceed 100%(10000) and the protocol will get something greater or equal to 10%.