Transaction revert in division by zero error when handling protocol fee if the feeTo address is set but s.protocolFeeDenominator is not set #101
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
downgraded by judge
Judge downgraded the risk level of this issue
grade-a
primary issue
Highest quality submission among a set of duplicates
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/AstariaRouter.sol#L654
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/AstariaRouter.sol#L650
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/AstariaRouter.sol#L303
Vulnerability details
Impact
Transaction revert in division by zero error when handling protocol fee if the feeTo address is set but s.protocolFeeDenominator is not set
Proof of Concept
In the VaultImplementation, function commitToLien is called for lifecycle of new loan origination.
which calls:
which calls:
which calls:
_handleProtocolFee(c.lienRequest.amount);
If the feeTo address is set, the code will query the protocol fee and deduct from the amount.
which calls ROUTER().getProtocolFee(amount)
note that the s.protocolFeeNumerator and s.protocolFeeDenominator is not set in the init function of the AstairRouter.sol, so if the feeTo address is set, transaction of commitToLien revert in division by zero error because s.protocolFeeDenominator is 0.
In fact, if we look into getLiquidatorFee and getBuyoutFee
if the s.buyoutFeeDenominator and s.liquidationFeeDenominator is 0, the divison by zero error can also occur, but these parameter is set in the init function of the AstariaRouter.sol
but s.protocolFeeNumerator and s.protocolFeeDenominator is not set in the init function of the AstairRouter.sol is not set in the init function of the AstariaRouter.sol
Tools Used
Manual Review
Recommended Mitigation Steps
We recommend the protocol set the feeTo address and
s.protocolFeeNumerator and s.protocolFeeDenominator together.
Also validate the buyout fee, liqudatior fee and protocol fee's dominator are not 0 to avoid division by zero error.
The text was updated successfully, but these errors were encountered: