Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[M-01] Fees can change during the order life-cycle #347

Closed
code423n4 opened this issue Jul 4, 2022 · 1 comment
Closed

[M-01] Fees can change during the order life-cycle #347

code423n4 opened this issue Jul 4, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists old-submission-method

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L497-L503

Vulnerability details

Impact

Fee rates are not locked when fillOrder - might be unfair because admin can change contract fees unannounced.
Assume an arbitrager is checking the current fees on the contract, decide it's worth and fillOrder on chain.
Admin can change fees as he likes (in range 0-3%) and the new fees will be takin in account on exercise\withdraw.
This unexpected and unfair behaviour might drive players and users out of the platform.

Proof of Concept

            uint256 feeAmount = 0;
            if (fee > 0) {
                feeAmount = (order.strike * fee) / 1000;
                ERC20(order.baseAsset).safeTransfer(owner(), feeAmount);
            }

            ERC20(order.baseAsset).safeTransfer(msg.sender, order.strike - feeAmount);

https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L497-L503

Wherever fee is taken in account, the current fee rate fee is used instead of the fee at the time of the fillOrder.

Recommended Mitigation Steps

The easiest way to do so is to save the feeAmount or the fee_rate (fee):
mapping(uint256 => uint256) public feeForOrder; on the contract level
feeForOrder[orderHash] = feeAmount; on the fillOrder after the feeAmount is calculated.

then using this cached value then transferring fee to owner()
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working old-submission-method labels Jul 4, 2022
code423n4 added a commit that referenced this issue Jul 4, 2022
@code423n4
Metatron issue #347
fc08b7e
@outdoteth
Copy link
Collaborator

Duplicate: Admin can change fee at any time for existing orders: #422

@outdoteth outdoteth added the duplicate This issue or pull request already exists label Jul 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists old-submission-method
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@outdoteth @code423n4 @HickupHH3