Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Tadle won't be able to take PlatformFee from a Maker

unique

Summary

In certain scenarios, a Maker can bypass paying platform fees. The issue arises in the createTaker() function, where the fee is taken from the Maker. If a Taker buys only a portion of the offer (e.g., half), the platform fee becomes zero due to rounding, effectively allowing the Maker to avoid paying fees for that portion.

Vulnerability Details

Suppose Alice creates an offer to sell 100 Points for $20. Bob, who wants to buy half of that offer (i.e., 50 Points for $10), will call createTaker(address _offer, uint256 _points).

How this happens 👇

Step 1: Find the `platformFeeRate`

203: uint256 platformFeeRate = systemConfig.getPlatformFeeRate(_msgSender());

The platformFeeRate is 0.5%, as stated in this reference.

Step 2: Calculate the `DepositAmount`

212: uint256 depositAmount = _points.mulDiv(

offerInfo.amount,

offerInfo.points,

Math.Rounding.Ceil

);

After calculation, the depositAmount is 10.

Step 3: Calculate `platformFee`

217: uint256 platformFee = depositAmount.mulDiv(

platformFeeRate,

Constants.PLATFORM_FEE_DECIMAL_SCALER

);

The final platformFee would be 0.05. However, since platformFee is a uint256 and cannot represent fractional numbers, it is rounded down to 0.

Step 4: Calculate `remainingPlatformFee`

254: uint256 remainingPlatformFee = _updateReferralBonus(

platformFee,

depositAmount,

stockAddr,

makerInfo,

referralInfo,

tokenManager

);

Since platformFee = 0, the _updateReferralBonus() function sets both referrerReferralBonus and authorityReferralBonus to 0, resulting in a remainingPlatformFee of 0.

Step 5: Update `makerInfo.platformFee`

263: makerInfo.platformFee = makerInfo.platformFee + remainingPlatformFee;

Because remainingPlatformFee is zero, and the platformFee was initially set to zero when creating the offer, the makerInfo.platformFee remains zero.

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/PreMarkets.sol#L263

Impact

The rounding down of fractional platform fees to zero allows the Maker to avoid paying the required fee when a Taker buys a portion of the offer. This vulnerability could result in a loss of revenue for the platform and create an unfair advantage for Makers.

Tools Used

Manual Review

Recommendations

Set Minimum Fee Threshold: Introduce a minimum platform fee threshold, ensuring that even small transactions incur a fee that cannot be bypassed.

Updates

Lead Judging Commences

0xnevi Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-PreMarkets-platformFee-no-withdraw-functionality

Low severity, this can be done using the `Rescuable.sol` contract. Arguably there is no errors here given the `platformFee` variable can represent the historical fees that the protocol has accumulated and need not be updated when fees are withdrawn. However, I believe a more explicit function can be valuable to be more transparent regarding withdrawals. However, I will leave this issue open for escalation for debates because I can see it as arguably invalid as well, but I see no arguments for it being medium severity since there is an alternative to retrieve platform fees, assuming admins are trusted.

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.