Fees charged from entire theoretical pledge amount instead of actual pledge amount #235
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-07
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-10-paladin/blob/d6d0c0e57ad80f15e9691086c9c7270d4ccfe0e6/contracts/WardenPledge.sol#L328
Vulnerability details
Description
Paladin receives a 5% cut from Boost purchases, as documented on the website
"Warden takes a 5% fee on Boost purchases, and 5% on Quest incentives. However, there are various pricing tiers for Quest creators. Contact the Paladin team for more info."
Here's how fee calculation looks at
createPledge
function:The issue is that the fee is taken up front, assuming
totalRewardAmount
will actually be rewarded by the pledge. In practice, the rewards actually utilized can be anywhere from zero tototalRewardAmount
. Indeed, reward will only betotalRewardAmount
if, in the entire period from pledge creation to pledge expiry, the desired targetVotes will be fulfilled, which is extremly unlikely.As a result, if pledge expires with no pledgers, protocol will still take 5%. This behavior is both unfair and against the docs, as it's not "Paladin receives a 5% cut from Boost purchases".
Impact
Paladin fee collection assumes pledges will be matched immediately and fully, which is not realistic. Therefore far too much fees are collected at user's expense.
Proof of Concept
Tools Used
Manual audit
Recommended Mitigation Steps
Fee collection should be done after the pledge completes, in one of the close functions or in a newly created pull function for owner to collect fees. Otherwise, it is a completely unfair system.
The text was updated successfully, but these errors were encountered: