Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Submission Details
Severity: low

COMMISSION_FEE can be set to 10,000

Summary

There is no limit to how much COMMISSION_FEE can be set. If the distributor contract is redeployed, the COMMISSION_FEE can be set to 10,000. Users will not receive any money in this case because the commission takes away all the rewards.

Vulnerability Details

In Distributor.sol, the COMMISSION_FEE is set at 500. The comments state that it can be changed in the future, so it is assumed that if changed, the whole contract would be redeployed since there is no function to change the COMMISSION_FEE within the contract.

uint256 private constant COMMISSION_FEE = 500; // this can be changed in the future

If the commission fee is set to 10,000, then no one would receive anything.

if (totalPercentage != (10000 - COMMISSION_FEE)) {

Impact

Winners will not receive any rewards since the commission takes away all the rewards.

Tools Used

Manual Review

Recommendations

Recommend adding the COMMISSION_FEE in the constructor and limit the commission fee to a max of 10%.

+ uint256 private immutable COMMISSION_FEE;
constructor(
// uint256 version, // for future use
address factoryAddress,
address stadiumAddress,
uint fee
)
/* solhint-enable */
{
if (factoryAddress == address(0) || stadiumAddress == address(0)) revert Distributor__NoZeroAddress();
+ require(fee < 1,000, "Commission fee is too high");
FACTORY_ADDRESS = factoryAddress; // initialize with deployed factory address beforehand
STADIUM_ADDRESS = stadiumAddress; // official address to receive commission fee
+ COMMISSION_FEE = fee;
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.