Sablier

DeFiFoundry

53,440 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

`Helpers::checkAndCalculateBrokerFee` return zero broker fee for tokens with < 18 decimals.

alymurtazamemon

Summary

The prb library doesn't calculate correct broker fee for tokens with < 18 decimals.

Vulnerability details

The protocol uses the MAX_BROKER_FEE constant to limit brokers to charging only up to 10% of the total amount as a broker fee when creating streams. However, its value is hardcoded with 18 decimals. Because of this, the Helpers::checkAndCalculateBrokerFee function returns zero broker fee for tokens with < 18 decimals.

Impact

Brokers will get 0 fee for tokens with < 18 decimals.

Proof of Concept

Put this code in any file and run it using command bun run test --mt test_checkAndCalculateBrokerFee -vvv.

// SPDX-License-Identifier: MIT

pragma solidity >=0.8.22;

import { Test } from "forge-std/src/Test.sol";

import { console } from "forge-std/src/console.sol";

import { Helpers } from "src/libraries/Helpers.sol";

import { UD60x18 } from "@prb/math/src/UD60x18.sol";

import { Lockup } from "src/types/DataTypes.sol";

contract HelperTest is Test {

UD60x18 public constant MAX_BROKER_FEE = UD60x18.wrap(0.1e18);

function setUp() external { }

function test_checkAndCalculateBrokerFee() external {

// tokens with less than 18 decimals

uint128 totalAmount = 100e6; // 100 USDC - USDC has 6 decimals

uint128 brokerFee = 0.1e6; // 10% fee which should thow

Lockup.CreateAmounts memory createAmounts =

Helpers.checkAndCalculateBrokerFee(totalAmount, UD60x18.wrap(brokerFee), MAX_BROKER_FEE);

console.log(createAmounts.brokerFee);

console.log(createAmounts.deposit);

assertEq(createAmounts.brokerFee, 0);

assertEq(createAmounts.deposit, 100e6);

}

Tools Used

Manual Review, Foundry

Recommended Mitigation Steps

Make sure the prb library performs correct calculations for tokens with < 18 decimals.

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

53,440 USDC

nSLOC

2,655

20 USDC / LOC

High Medium

45,000 USDC

Low

3,100 USDC

Judges

5,340 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.