The collect() function will always TRANSFER ZERO fees, losing _feesPositions without receiving fees! #121
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
edited-by-warden
H-03
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-01-timeswap/blob/ef4c84fb8535aad8abd6b67cc45d994337ec4514/packages/v2-token/src/TimeswapV2LiquidityToken.sol#L193
Vulnerability details
Impact
Detailed description of the impact of this finding.
The
collect()
function will always transfer ZERO fees. At the same time, non-zero_fessPosition
will be burned.As a result, the contracts will be left in an inconsistent state. The user will burn
_feesPositions
without receiving the the fees!Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
The
collect()
function will always transfer ZERO fees in the following line:This is because, at this moment, the values of
long0Fees
,long1Fees
,shortFees
have not been calculated yet, actually, they will be equal to zero. Therefore, no fees will be transferred. The values oflong0Fees
,long1Fees
,shortFees
are calculated afterwards by the following line:Therefore,
ITimeswapV2Pool(poolPair).transferFees
must be called after this line to be correct.Tools Used
Remix
Recommended Mitigation Steps
We moved the line
ITimeswapV2Pool(poolPair).transferFees
afterlong0Fees
,long1Fees
,shortFees
have been calculated first.The text was updated successfully, but these errors were encountered: