138.md

Shaggy Clear Mallard

Medium

Protocol Fee can be set up to get most of the createDistribution amount

Summary

The variable protocolFee determines the fees that are collected by the protocol for the total amount of a distribution. This variable can be set to a maximum of 1e9-1 by the owner, thus allowing the owner to steal almost all of the amount of a newly created distribution. code

NOTE: Even though this is a permissioned variable, if the owner account gets hacked, this will allow the hacker to steal almost all of the tokens of all the new distributions that get created.

Root Cause

No response

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

This variable can be set to a maximum of 1e9-1 by the owner, thus allowing the owner to steal almost all of the amount of a new created distribution.

PoC

Take a look at the following:

function test_protocolFee() public {
    uint256 amount = 100_000e6;
    uint256 protocolFee = 1e9 - 1;

    uint256 fee = amount * protocolFee / BASE_9;
    console.log(fee, amount);
}

[PASS] test_protocolFee() (gas: 3309)
Logs:
  99999999900 100000000000

  Traces:
    [3309] ContractBTest::test_protocolFee()
        ├─ [0] console::log(99999999900 [9.999e10], 100000000000 [1e11]) [staticcall]
            │   └─ ← [Stop] 
                └─ ← [Return] 

Mitigation

Restrict protocolFee to a maximum reasonable amount for a fee. EX: 1e8 == 10%.

    /// @notice Sets the protocol fee rate
    /// @param _protocolFee New fee rate (in BASE_9 units)
    function setProtocolFee(uint256 _protocolFee) external onlyOwner {
        require(_protocolFee <= 1e8, "Protocol fee is based on 10**9");
        protocolFee = _protocolFee;
        emit ProtocolFeeSet(_protocolFee);
    }