Protocol receives less harvest fees

[c4-bot-7]

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/main/contracts/core/Vault.sol#L155-L157

Vulnerability details

Proof of Concept

In case if position has grown, then protocol receives performance fee.
https://github.com/code-423n4/2024-05-bakerfi/blob/main/contracts/core/Vault.sol#L153-L158

                    uint256 feeInEthScaled = uint256(balanceChange) *
                        settings().getPerformanceFee();
                    uint256 sharesToMint = (feeInEthScaled * totalSupply()) /
                        _totalAssets(maxPriceAge) /
                        PERCENTAGE_PRECISION;
                    _mint(settings().getFeeReceiver(), sharesToMint);

We will check how shares amount is calculated and why it's less than should be.

Suppose that totalSupply() == 100000 and _totalAssets(maxPriceAge) == 100100, so we earned 100 eth as additional profit. balanceChange == 100 and performance fee is 10%, which is 10 eth.

sharesToMint = 10 * 100000 / 100100 = 9.99001
This means that with 9.990001 shares protocol should be able to grab 10 eth fee, which is indeed like that if we convert 9.99001 * 100100 / 100000 = 10.

The problem is that minting is done later, which means that totalSupply() will increase with 9.99001 shares. So if we calculate fees amount now we will get smaller amount: 9.99001 * 100100 / 100009.99001 = 9.999001

Impact

Protocol receives smaller amount of fees

Tools Used

VsCode

Recommended Mitigation Steps

The formula should be adjusted to count increase of total supply.

Assessed type

Error

[c4-judge]

0xleastwood marked the issue as primary issue

[c4-judge]

0xleastwood marked the issue as selected for report