royaltyFee incorrectly determined in PrivatePool #303
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-669
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L788
https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L236
https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L335
Vulnerability details
Impact
The protocol calculate the sale price by assuming it's the same for each NFT even if weights differ. This assumption is deemed incorrect and leads to unfair fee distribution to recipients.
Proof of Concept
Here is the scenario:
buyQuote()
would be based on a weight of 2.0e18 to returnnetInputAmount
and subsequently be used to correspondingly determinesalePrice
androyaltyFee
.buyQuote()
would be based on a weight of 3.0e18 to returnnetInputAmount
and subsequently be used to evenly determinesalePrice
androyaltyFee
:File: PrivatePool.sol#L235-L249
As a result, recipient #1 suffers a fee cut considering her NFT weight was treated as 1.5 instead of 2.0:
File: PrivatePool.sol#L271-L284
The impact will be increasingly significant if the weight difference is larger and involves more NFTs in bulk purchase or sale.
Tools Used
Manual
Recommended Mitigation Steps
Consider refactoring the affected arithmetic in bulk purchase and sale to correctly and fairly distribute royalties to the recipients.
For instance, the affected code line of
sell()
can be refactored as follows:File: PrivatePool.sol#L335
The text was updated successfully, but these errors were encountered: