MrCrowNFT - Users not be able to claim incentives with referrer address if `(payload_.referralFee + BoostCore.sol::referralFee) > FEE_DENOMINATOR`

[sherlock-admin4]

MrCrowNFT

Medium

Users not be able to claim incentives with referrer address if (payload_.referralFee + BoostCore.sol::referralFee) > FEE_DENOMINATOR

Summary

When creating a boost, the creators payload (decoded from input data), holds a `payload.referralFeewhich is added toBoostCore.sol::referralFeeto defineboost.referralFee. According toREADME.md`BoostCore.sol::referralFee = Between 0 - FEE_DENOMINATOR (FEEDENOMINATOR=100%). The main issue resides in the fact if `(payload.referralFee + BoostCore.sol::referralFee) > FEE_DENOMINATOR,BoostCore.sol::claimIncentive` will underflow revert when calling with referrer address for the created boost.

Root Cause

• In BoostCore.sol::122 payload_.protocolFee is added to protocolFee without checking if it exceeds FEE_DENOMINATOR.
• In BoostCore.sol::_routeClaimFee when a referrer address is included and if (payload_.referralFee + BoostCore.sol::referralFee) > FEE_DENOMINATOR, referralShare will be greater than netFee, making the function revert due to underflow. https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L305-L314

Internal pre-conditions

No response

External pre-conditions

• (payload_.referralFee + BoostCore.sol::referralFee) > FEE_DENOMINATOR, this could happened by accident.
• user calls claimIncentive with a referral address.

Attack Path

No response

Impact

• When the conditions are met, the users claiming their incentives while inputting a referrer address will be unable to do so.

PoC

You may add the following code to BoostCore.t.sol for testing

//Create data with a referrer fee >90%
    bytes BudgetFeeOver90CreateData = LibZip.cdCompress(
        abi.encode(
            BoostCore.InitPayload({
                budget: budget,
                action: action,
                validator: BoostLib.Target({isBase: true, instance: address(0), parameters: ""}),
                allowList: allowList,
                incentives: _makeIncentives(1),
                protocolFee: 500, // 5%
                referralFee: 9100, // 91%
                maxParticipants: 10_000,
                owner: address(1)
            })
        )
    );

    function testUnableToClaimWithFeeOver90() public {
        //create a boost using the data
        boostCore.createBoost(BudgetFeeOver90CreateData);

        uint256 tokenId = 1;
        mockERC721.mint{value: 0.1 ether}(address(this));
        mockERC721.mint{value: 0.1 ether}(address(this));
        mockERC721.mint{value: 0.1 ether}(address(this));

        // Define a referrer
        address referrer = makeAddr("referrer");

        // Prepare the data payload for validation
        bytes memory data = abi.encode(address(this), abi.encode(tokenId));

        // Expect to fail when claimimg the incentive with a referrer
        vm.expectRevert();
        boostCore.claimIncentive{value: 0.000075 ether}(0, 0, referrer, data);

    }

Mitigation

Add a maximum referral fee check in BoostCore.sol::createBoost