Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New fee settings shouldn't be applied to already existing orders. #514

Closed
code423n4 opened this issue Dec 16, 2022 · 5 comments
Closed

New fee settings shouldn't be applied to already existing orders. #514

code423n4 opened this issue Dec 16, 2022 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-377 satisfactory satisfies C4 submission criteria; eligible for awards sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/b2ebb8ea1def4927a747e7a185174892506540ab/contracts/Trading.sol#L952
https://github.com/code-423n4/2022-12-tigris/blob/b2ebb8ea1def4927a747e7a185174892506540ab/contracts/Trading.sol#L493

Vulnerability details

Impact

New fee settings shouldn't be applied to already existing orders.

Otherwise, users might pay more fees than they've expected with the old fee settings.

Proof of Concept

Both OpenFees and CloseFees can be changed anytime by admin using setFees().

And when it calculates fees using _handleOpenFees() and _handleCloseFees(), it uses current fee settings and the below scenario would be possible.

  1. At the first time, the open fee was 0.05% and a user opened a limit order using initiateLimitOrder() as the fee is low.
  2. After that, the open fee was changed to 0.1% which is not good for a user.
  3. When the pending order is executed using executeLimitOrder(), new fee(0.1%) will be used and it's not fair for the user.

Similar cases would happen with close fees as well.

Tools Used

Manual Review

Recommended Mitigation Steps

Recommend storing original fee settings when the order is opened and using those settings for the order.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 16, 2022
code423n4 added a commit that referenced this issue Dec 16, 2022
@code423n4
hansfriese issue #514
baa31ff
@TriHaz
Copy link

TriHaz commented Dec 23, 2022

Valid but we are not going to change it as fees will only be changed by DAO voting, so traders will have enough time to decide if they want to close with current fees.

@c4-sponsor
Copy link

TriHaz marked the issue as sponsor acknowledged

@c4-sponsor c4-sponsor added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Dec 23, 2022
This was referenced Dec 23, 2022
Closed
Closed
@c4-judge
Copy link
Contributor

GalloDaSballo marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Dec 23, 2022
This was referenced Dec 23, 2022
Closed
Closed
Closed
Closed
C4-Staff added a commit that referenced this issue Jan 6, 2023
@C4-Staff
original risk added for issue #514
527cfac
@c4-judge
Copy link
Contributor

GalloDaSballo marked the issue as duplicate of #377

@c4-judge c4-judge added duplicate-377 and removed primary issue Highest quality submission among a set of duplicates labels Jan 22, 2023
@c4-judge
Copy link
Contributor

GalloDaSballo marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jan 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-377 satisfactory satisfies C4 submission criteria; eligible for awards sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@code423n4 @c4-judge @c4-sponsor @TriHaz