The Standard

Summary:

The setPoolFeePercentage function in the LiquidationPoolManager contract allows the owner to adjust the fee percentage. This fee, accumulated from borrower transactions during mints and burns, is distributed to stakers as rewards. A problem in the function's current form, is that it does not distribute the accrued fees at the old rate before modifying the new fee percentage, leading to miscalculations in fee distribution.

Vulnerability Details:

The contract's fails to account for outstanding fees at the old rate prior to updating the poolFeePercentage. As it stands, the setPoolFeePercentage function changes the fee rate without triggering the distributeFees function, which would distribute the correct amount of fees owed up until that point.

Scenario Illustration:

• User A and B create borrowing positions, accruing fees in the LiquidationPoolManager contract.

• Subsequently, the contract owner changes the fee percentage by a reduction of 10%.

• When a liquidation occurs, the distributeFees function is triggered, applying the new fee rate to all fees accumulated since the last distribution, including those accrued before the fee change.

Impact:

The impact is twofold, depending on the direction of the fee percentage change:

• If the poolFeePercentage is increased, users may incorrectly receive more fees than due.

• Conversely, if the poolFeePercentage is decreased, users may end up receiving less in fees than they should have.

Tools Used:

• Manual analysis

Recommendation:

To ensure accurate fee allocation according to the respective rates, the contract should distribute existing fees prior to any change in poolFeePercentage. This can be implemented by invoking the distributeFees function within setPoolFeePercentage, as follows: