Motomoto - Users can pay 0 fees while investing

[sherlock-admin4]

Motomoto

Medium

Users can pay 0 fees while investing

Summary

Integer division in VVVVCInvestmentLedger's fee calculation can cause a bypass of the fee mechanism as users can structure their investment amounts to result in zero fees while still investing.

Root Cause

In VVVVCInvestmentLedger.sol the fee calculation can result in zero due to integer division when preFeeStableAmountEquivalent * feeNumerator is less than FEE_DENOMINATOR:

uint256 postFeeStableAmountEquivalent =
    preFeeStableAmountEquivalent - (preFeeStableAmountEquivalent * _params.feeNumerator) / FEE_DENOMINATOR;

Instead of paying the intended fee, users can pay 0% by splitting their investments into smaller amounts.

Internal pre-conditions

1. feeNumerator needs to be set to a small value (e.g., 100 for 1% fee)
2. FEE_DENOMINATOR is fixed at 10_000

External pre-conditions

None

Attack Path

1. User calculates the maximum amount where (amount * feeNumerator) < FEE_DENOMINATOR
2. For example, with feeNumerator = 100:
3. If preFeeStableAmountEquivalent = 99
4. Then 99 * 100 = 9900
5. 9900 / 10000 = 0 (due to integer division)
6. Attacker makes multiple small investments just below this threshold
7. Each investment pays zero fees due to integer division
8. Attacker accumulates a significant position while paying no fees

Impact

Users can bypass fees

PoC

Described in the attack path

Mitigation

Modify the fee calculation to handle small amounts

[sherlock-admin2]

The protocol team fixed this issue in the following PRs/commits: https://github.com/vvvdevs/vvv-platform-smart-contracts/pull/102