In the PreMarkets.sol contract, the platform fee calculation can be bypassed for ERC20 tokens with low decimal precision, such as Gemini USD (GUSD), which has only 2 decimals. This issue arises due to the way the platform fee is calculated using a fixed decimal scaler (PLATFORM_FEE_DECIMAL_SCALER), which does not account for tokens with fewer than 18 decimals.
And the constant definition in Constants.sol:
Example:
let say,
depositAmount : 100e2
platformFeeRate : 0.5% i.e 50
as we can see from above the platform fee can be bypassed
note:note that this is one of the example ,refer below for list of tokens which has less than e18 decimals
Platform fees can be bypassed
Valid medium, this will indeed cause a leakage (albeit requires relatively small amount of collateral transacted, and is most significant for lower decimal tokens (does not break ERC20 specifications), resulting in platFormFee rounding to zero and creater of offers not sending fees to capitalPool when `_depositTokenWhenCreateTaker` is invoked. For issues noting rounding directions, it will be low severity given the impact is not proven sufficiently with a PoC/numerical example and most rounding will not result in significant losses. I believe the most appropriate solution here is to increase scale of platFormFees scalar, but to make sure that overflows are considered for higher decimal tokens.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.