Some users may pay no platform fee at all
Summary
Protocol might suffer losses if user, do not pay any fees.
Vulnerability Details
When, a user buys up points from a offerput up by a maker, they transfer their amount as collateral to the capital pool., And the takers platformFee is calculated as depositAmount * platformFeerate
and their fee rate is fetched from their mapping, from here
But if the userPlatformFeeRate is not initialized, it just returns basePlatformFeeRate
The problem is basePlatformFeeRate can be less than PLATFORM_FEE_DECIMAL_SCALERsince no such sanitisation is done here:
https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/SystemConfig.sol#L29
uint256 internal constant PLATFORM_FEE_DECIMAL_SCALER = 1_000_000;
The vulnerability occurs when a user wants to buy few points from a maker offering huge points thus the takers deposited amount will also be very less & with low decimal tokens such as GEMINI USD the precision being very less the users may end up paying no fees at all
Impact
Low: Since it may only work when deposit amount is less[mostly with low dec tokens], and users whose platformfeerate hasn't been set yet[ this may be for 1st time users, or users frontrunning the fee set transaction]
Tools Used
Manual review
Recommendations
Have the baseplatformfee rate same as PLATFORM_FEE_DECIMAL_SCALER
I noticed there is a mismatch in comments in baseFeeratein SystemConfig.sol & SystemConfigStorage.sol
Here it says 0.5% -> https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/SystemConfig.sol#L22
And here it says 0.05% -> https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/storage/SystemConfigStorage.sol#L17
Lead Judging Commences
finding-PreMarkets-tradeTax-round-down-low-decimal
Valid medium, this will indeed cause a leakage (albeit requires relatively small amount of collateral transacted, and is most significant for lower decimal tokens (does not break ERC20 specifications), resulting in platFormFee rounding to zero and creater of offers not sending fees to capitalPool when `_depositTokenWhenCreateTaker` is invoked. For issues noting rounding directions, it will be low severity given the impact is not proven sufficiently with a PoC/numerical example and most rounding will not result in significant losses. I believe the most appropriate solution here is to increase scale of platFormFees scalar, but to make sure that overflows are considered for higher decimal tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.