Tadle

Summary

The platform code does not provide secure ways to derive platform revenue with updating platformFee field values inside PreMarkets contract.

Vulnerability Details

When users interact with the platform, platformFee is accumulated in MakerInfo inside PreMarkets contracts, which displays the platform's earnings for a particular maker.

The vulnerability is that the system code does not add functions by which, for example, a contract owner would be able to derive platform revenues with further updates to the values of the platformFee parameter.

Of course, the TokenManager contract has a rescue function that can withdraw tokens from the contract, but this method for withdrawing rewards is a bad option as it will never update the values of the platformFee parameters inside the PreMarkets contract. This in turn leads to a complicated calculation of how many tokens to withdraw between income withdrawals.

Impact

Complicated platform rewards calculation and withdrawal process, which is not very trustworthy from the users' point of view, and also does not update the values of platformFee parameters inside the PreMarkets contract.

Tools Used

Manual auditing of the protocol code was used to discover the vulnerability. No third-party programs were used.

Recommendations

Add a function to withdraw platform rewards.

You could also change the logic of accumulating platform rewards a bit. Instead of writing values inside each MakerInfo, you could have one variable at the contract level. Then it would be easy to get the total value of the protocol rewards and would be cheaper since only one value would need to be updated.