Magic Basil Caterpillar
Medium
setting MAX_TOTAL_FEES = 10000 causes Maximum total fees to exceed 10%.
setEntryProtocolFeeBasisPoints,setEntryDonationFeeBasisPoints,setEntryVouchersPoolFeeBasisPoints,setExitFeeBasisPoints
functions internally calls checkFeeExceedsMaximum function to ensure the total fees doesn't exceed MAX_TOTAL_FEES.
checkFeeExceedsMaximum function make sure that sum of all fees(after updating), (entryProtocolFeeBasisPoints +
exitFeeBasisPoints +
entryDonationFeeBasisPoints +
entryVouchersPoolFeeBasisPoints) to be <=MAX_TOTAL_FEES(10000).
https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L996-L1004
1)At the time of vouching we collect protocolFee,donationFee,vouchersPoolFee
In EthosVouch::vouchByProfileId function,
(uint256 toDeposit, ) = applyFees(msg.value, true, subjectProfileId);
https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L384
https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L929-L965
https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L975-L989
which collects vouchingfees= msg.value ( entryProtocolFeeBasisPoints / (10000 + entryProtocolFeeBasisPoints) + entryDonationFeeBasisPoints/ (10000 + entryDonationFeeBasisPoints)+ entryVouchersPoolFeeBasisPoints / (10000 + entryVouchersPoolFeeBasisPoints))
2)At the time of unvouching we collect exitFee
In EthosVouch::unvouch function,
https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L470
unvouchingfees= amount * exitFeeBasisPoints/(10000+exitFeeBasisPoints)
Example calculations,
let's take entryProtocolFeeBasisPoints=2000,entryDonationFeeBasisPoints=2000,entryVouchersPoolFeeBasisPoints=2000, exitFeeBasisPoints=2000
checkFeeExceedsMaximum function not reverts because (entryProtocolFeeBasisPoints+entryDonationFeeBasisPoints+entryVouchersPoolFeeBasisPoints+exitFeeBasisPoints)<(MAX_TOTAL_FEES = 10000),(8000<10000)
Then fees collected at the time of vouching,
vouchingFees=3amount2000/12000
vouchingFees=amount/2
vouch.balance=amount/2
unvouchingFees=balance * 2000/12000
unvochingFees = amount/12
so, TotalFee collected = vouchingFees+unvouchingFees
TotalFee=amount7/12
percentage of fee = TotalFee*100/amount= 58.33%>10%(Maximum total fees cannot exceed 10%).
setting MAX_TOTAL_FEES = 10000; we can't even change it after deployment as it is a constant.(unless contract upgrade) https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L120
Admin needs to set entryProtocolFeeBasisPoints, entryDonationFeeBasisPoints, entryVouchersPoolFeeBasisPoints exitFeeBasisPoints values such that entryProtocolFeeBasisPoints+entryDonationFeeBasisPoints+entryVouchersPoolFeeBasisPoints+exitFeeBasisPoints>1000. which is pretty much possible as MAX_TOTAL_FEES = 10000.
No response
No response
Maximum total fees may exceed 10%, even go up to 60-70%(Users loss funds). But In contests readme it is clearly mentioned that , Are there any limitations on values set by admins (or other roles) in the codebase, including restrictions on array lengths? For both contracts: Maximum total fees cannot exceed 10%.
No response
change maxTotalFees to 1000 instead of 10000. uint256 public constant MAX_TOTAL_FEES = 10000;