The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Incorrect Fee Calculation in LiquidationPool's Position Function

0xCiphky

Summary:

The position function in the LiquidationPool contract, which displays a holder's position (EUROs, TST, and rewards), currently yields inaccurate data due to a flaw in its implementation. This function is essential for individual holders and frontends to accurately display position data.

Vulnerability Details:

The issue lies in how the position function calculates the fees a user is entitled to from the distributeFees function, in the scenario where the user's TST balance is greater than zero. It erroneously uses the total EUROs balance from the manager contract for this calculation.

function position(address _holder) external view returns(Position memory _position, Reward[] memory _rewards) {

_position = positions[_holder];

(uint256 _pendingTST, uint256 _pendingEUROs) = holderPendingStakes(_holder);

_position.EUROs += _pendingEUROs;

_position.TST += _pendingTST;

if (_position.TST > 0) _position.EUROs += IERC20(EUROs).balanceOf(manager) * _position.TST / getTstTotal();

_rewards = findRewards(_holder);

}

However, the distributeFees function only allocates a fraction of this balance to the pool, specifically governed by the poolFeePercentage. As a result, the fee portion calculated in the position function becomes significantly overestimated.

function distributeFees() public {

IERC20 eurosToken = IERC20(EUROs);

uint256 _feesForPool = eurosToken.balanceOf(address(this)) * poolFeePercentage / HUNDRED_PC;

if (_feesForPool > 0) {

eurosToken.approve(pool, _feesForPool);

LiquidationPool(pool).distributeFees(_feesForPool);

}

eurosToken.transfer(protocol, eurosToken.balanceOf(address(this)));

}

Impact:

This miscalculation in the position function leads to incorrect reporting of holders' positions. Users and frontends relying on this function for position information will receive inflated values, potentially causing confusion and mismanagement of assets.

Proof Of Concept

Tools Used:

Manual analysis

Recommendation:

The protocol should adjust the position function to accurately reflect the actual fee distribution. This involves modifying the calculation to consider only the portion of EUROs allocated as fees, in line with the poolFeePercentage, rather than the total EUROs balance.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

incorrect-position

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.