New fee settings shouldn't be applied to already existing orders. #514
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-377
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/b2ebb8ea1def4927a747e7a185174892506540ab/contracts/Trading.sol#L952
https://github.com/code-423n4/2022-12-tigris/blob/b2ebb8ea1def4927a747e7a185174892506540ab/contracts/Trading.sol#L493
Vulnerability details
Impact
New fee settings shouldn't be applied to already existing orders.
Otherwise, users might pay more fees than they've expected with the old fee settings.
Proof of Concept
Both
OpenFees
andCloseFees
can be changed anytime by admin usingsetFees()
.And when it calculates fees using
_handleOpenFees()
and_handleCloseFees()
, it uses current fee settings and the below scenario would be possible.initiateLimitOrder()
as the fee is low.executeLimitOrder()
, new fee(0.1%) will be used and it's not fair for the user.Similar cases would happen with close fees as well.
Tools Used
Manual Review
Recommended Mitigation Steps
Recommend storing original fee settings when the order is opened and using those settings for the order.
The text was updated successfully, but these errors were encountered: