0xlookman - `BoostCore::_routeClaimFee` can be Dosed by any of the first Recipients before the `protocolFeeReceiver` during a claim leading to a loss of funds

[sherlock-admin4]

0xlookman

Medium

BoostCore::_routeClaimFee can be Dosed by any of the first Recipients before the protocolFeeReceiver during a claim leading to a loss of funds

0xlookman

Medium

Summary

The claim process of the claim fee in BoostCore::_routeClaimFee might be Dosed by either a malicious boost owner or referrer, breaking the protocol's core functionality. This would also result in fee loss for the protocol as protocol fees won't be collected.

Vulnerability Detail

In BoostCore::claimIncentiveFor when claiming an incentive, the BoostCore::_routeClaimFee is called to distribute claimFees among all recipients.

       function claimIncentiveFor(
        uint256 boostId_,
        uint256 incentiveId_,
        address referrer_,
        bytes calldata data_,
        address claimant
    ) public payable nonReentrant {
        BoostLib.Boost storage boost = _boosts[boostId_];
        if (msg.value < claimFee)
            revert BoostError.InsufficientFunds(
                address(0),
                msg.value,
                claimFee
            );
        _routeClaimFee(boost, referrer_);

• https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L164C1-L174C1

  The claimFee is supposed to be distributed to one or more of the following individuals:

  • Referrer (if any)
  • boost owner
  • Protocol fee receiver

          if (referrer_ != address(0)) {
          uint256 referralShare = (claimFee * boost.referralFee) /
              FEE_DENOMINATOR;
          netFee -= referralShare;
          referrer_.safeTransferETH(referralShare);
      }
  
      // The remaining fee is split between the owner and the protocol
      boost.owner.safeTransferETH(netFee / 2);
      protocolFeeReceiver.safeTransferETH(address(this).balance);

• https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L310C1-L318C8 The risk is the way amount is distributed where as long as any of the first two recipients (referrer or boost owner) maliciously reverts upon receiving the Eth, they could DOS all the other recipients.

Impact

When a fee recipient decides to maliciously revert, all the other recipients will loss their share of the fee as they won't receive their share.

Code Snippet

Tool used

Manual Review

Recommendation

Consider using a pull method for recipients to claim their share instead of transferring the fee directly to them during claiming in the BoostCore::_routeClaimFee .