Skip to content

Latest commit

 

History

History
64 lines (39 loc) · 2.23 KB

File metadata and controls

64 lines (39 loc) · 2.23 KB

Slow Tan Swallow

Medium

README is not followed when it comes to fee receiver

Summary

As stated in the README the fee address should not be trusted

Fee receiver should not have any additional access (beyond standard users), though if the fee receiver is set to owner/admin that's fine.

This implies that the fee address can be any address and should not have any privileges above that of a normal user.

However currently the fee receiver has more privileges than a normal user, as it can control when applyFees works and when it doesn't. That's because applyFees executes an arbitrary call to that address, from where on the address can re-ender and use a flash-loan to vouch and claim a huge part of the rewards or DOS the function (by reverting it).

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/EthosVouch.sol#L941-L943

      if (protocolFee > 0) {
        _depositProtocolFee(protocolFee);
      }

When we consider that applyFees is used in all core functions - vouchByProfileId, increaseVouch and unvouch we can see that the address receiving the funds has a huge control over the contract.

Root Cause

Fee receiver being called mid function inside applyFees

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. Any user calls unvouch
  2. Fee receiver does not want that vouch to be reduced, so he reverts the call
  3. User is unable to reduce his vouch

Impact

README states that the fee receiver should not have any privileges above a normal user, however that's not true as that address can control all core functions and choose who can vouch for who.

Fee receiver should not have any additional access (beyond standard users), though if the fee receiver is set to owner/admin that's fine.

PoC

No response

Mitigation

Instead of sending the funds directly to the fee receiver, increase rewards and allow them to claim.

  function _depositProtocolFee(uint256 amount) internal {
-    (bool success, ) = protocolFeeAddress.call{ value: amount }("");
-    if (!success) revert FeeTransferFailed("Protocol fee deposit failed");
+    rewards[protocolFeeAddress] += amount
  }