Skip to content

Latest commit

 

History

History
82 lines (57 loc) · 3.64 KB

File metadata and controls

82 lines (57 loc) · 3.64 KB

Magic Basil Caterpillar

Medium

Maximum total fees may exceed 10%

Summary

setting MAX_TOTAL_FEES = 10000 causes Maximum total fees to exceed 10%. setEntryProtocolFeeBasisPoints,setEntryDonationFeeBasisPoints,setEntryVouchersPoolFeeBasisPoints,setExitFeeBasisPoints functions internally calls checkFeeExceedsMaximum function to ensure the total fees doesn't exceed MAX_TOTAL_FEES. checkFeeExceedsMaximum function make sure that sum of all fees(after updating), (entryProtocolFeeBasisPoints + exitFeeBasisPoints + entryDonationFeeBasisPoints + entryVouchersPoolFeeBasisPoints) to be <=MAX_TOTAL_FEES(10000). https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L996-L1004 1)At the time of vouching we collect protocolFee,donationFee,vouchersPoolFee In EthosVouch::vouchByProfileId function, (uint256 toDeposit, ) = applyFees(msg.value, true, subjectProfileId); https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L384 https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L929-L965 https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L975-L989 which collects vouchingfees= msg.value ( entryProtocolFeeBasisPoints / (10000 + entryProtocolFeeBasisPoints) + entryDonationFeeBasisPoints/ (10000 + entryDonationFeeBasisPoints)+ entryVouchersPoolFeeBasisPoints / (10000 + entryVouchersPoolFeeBasisPoints)) 2)At the time of unvouching we collect exitFee In EthosVouch::unvouch function, https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L470 unvouchingfees= amount * exitFeeBasisPoints/(10000+exitFeeBasisPoints) Example calculations, let's take entryProtocolFeeBasisPoints=2000,entryDonationFeeBasisPoints=2000,entryVouchersPoolFeeBasisPoints=2000, exitFeeBasisPoints=2000 checkFeeExceedsMaximum function not reverts because (entryProtocolFeeBasisPoints+entryDonationFeeBasisPoints+entryVouchersPoolFeeBasisPoints+exitFeeBasisPoints)<(MAX_TOTAL_FEES = 10000),(8000<10000) Then fees collected at the time of vouching, vouchingFees=3amount2000/12000 vouchingFees=amount/2 vouch.balance=amount/2 unvouchingFees=balance * 2000/12000 unvochingFees = amount/12 so, TotalFee collected = vouchingFees+unvouchingFees TotalFee=amount7/12 percentage of fee = TotalFee*100/amount= 58.33%>10%(Maximum total fees cannot exceed 10%).

Root Cause

setting MAX_TOTAL_FEES = 10000; we can't even change it after deployment as it is a constant.(unless contract upgrade) https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L120

Internal pre-conditions

Admin needs to set entryProtocolFeeBasisPoints, entryDonationFeeBasisPoints, entryVouchersPoolFeeBasisPoints exitFeeBasisPoints values such that entryProtocolFeeBasisPoints+entryDonationFeeBasisPoints+entryVouchersPoolFeeBasisPoints+exitFeeBasisPoints>1000. which is pretty much possible as MAX_TOTAL_FEES = 10000.

External pre-conditions

No response

Attack Path

No response

Impact

Maximum total fees may exceed 10%, even go up to 60-70%(Users loss funds). But In contests readme it is clearly mentioned that , Are there any limitations on values set by admins (or other roles) in the codebase, including restrictions on array lengths? For both contracts: Maximum total fees cannot exceed 10%.

PoC

No response

Mitigation

change maxTotalFees to 1000 instead of 10000. uint256 public constant MAX_TOTAL_FEES = 10000;