Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0xloophole - Incorrect Claim Fee Distribution #459

Open
sherlock-admin4 opened this issue Sep 20, 2024 · 0 comments
Open

0xloophole - Incorrect Claim Fee Distribution #459

sherlock-admin4 opened this issue Sep 20, 2024 · 0 comments

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Sep 20, 2024
edited by sherlock-admin3
Loading

0xloophole

Medium

Incorrect Claim Fee Distribution

Details

The current implementation of the _routeClaimFee function aims to split the claim fee between the Boost owner, a potential referrer, and the protocol fee receiver. However, there's a logical error in the way the fee is distributed when a referrer is involved.

Code

(https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L305)[]

// If a referrer is provided, transfer the revshare and reduce the net fee
if (referrer_ != address(0)) {
    uint256 referralShare = claimFee * boost.referralFee / FEE_DENOMINATOR;
    netFee -= referralShare;
    referrer_.safeTransferETH(referralShare);
}

// The remaining fee is split between the owner and the protocol
boost.owner.safeTransferETH(netFee / 2);
protocolFeeReceiver.safeTransferETH(address(this).balance);

The issue arises in the last line: protocolFeeReceiver.safeTransferETH(address(this).balance);. After sending the referral share, the code attempts to transfer the entire remaining balance of the contract to the protocolFeeReceiver. This means that the protocol fee receiver would receive not only its intended share but also the Boost owner's share of the fee.

Impact

This bug would result in an incorrect distribution of the claim fee, shortchanging the Boost owner and disproportionately benefiting the protocol fee receiver whenever a referrer is involved in a claim.

Scenario

A Boost is created with a 0.1 ETH claim fee, a 10% protocol fee, and a 10% referral fee.
A user claims a reward, specifying a referrer.
According to the intended logic, the distribution should be:

Referrer: 0.01 ETH
Protocol Fee Receiver: 0.01 ETH
Boost Owner: 0.08 ETH

Due to the bug, the actual distribution would be:

Referrer: 0.01 ETH
Protocol Fee Receiver: 0.09 ETH (incorrectly receiving the owner's share)
Boost Owner: 0 ETH

Fix

To resolve this issue, the code should transfer only the protocol's intended share to the protocolFeeReceiver. This can be achieved by calculating the protocol share separately and transferring it accordingly.

// ... (previous code) ...

// Calculate the protocol share
uint256 protocolShare = netFee * boost.protocolFee / FEE_DENOMINATOR;

// Transfer the protocol share to the protocol fee receiver
protocolFeeReceiver.safeTransferETH(protocolShare);

// Transfer the remaining share (owner's share)
boost.owner.safeTransferETH(netFee - protocolShare);
@sherlock-admin3 sherlock-admin3 changed the title Joyous Glossy Antelope - Incorrect Claim Fee Distribution 0xloophole - Incorrect Claim Fee Distribution Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4