The check for the total fees exceeding the limit is performed after the new fee is already added to the fees
array. This means that if the new fee causes the total to exceed the limit, the revert will happen, but the invalid fee will still be present in the fees
array.
The addFee
function allows adding a new fee that can cause the total fees to exceed the maximum limit of 10000 basis points (100%). The check for the total fees exceeding the limit is performed after the new fee is already added to the fees
array. If the new fee causes the total to exceed the limit, the function will revert with the FeesExceedLimit
error, but the invalid fee will still be present in the fees
array.
The addFee
function takes two parameters: _receiver
(the address of the fee receiver) and _feeBasisPoints
(the fee amount in basis points).
Inside the function, the new fee is immediately added to the fees
array using fees.push(Fee(_receiver, _feeBasisPoints))
.
After adding the new fee, the function checks if the total fees exceed the limit of 10000 basis points by calling the _totalFeesBasisPoints()
function.
If the total fees exceed the limit, the function reverts with the FeesExceedLimit
error.
However, the invalid fee that caused the total to exceed the limit is still present in the fees
array.
The issue occurs because the check for the total fees exceeding the limit is performed after the new fee is already added to the
fees
array. This allows thefees
array to contain invalid fees that cause the total to exceed the limit, even though the function reverts.
Can be exploited by calling the addFee
function with a _feeBasisPoints
value that, when added to the existing total fees, exceeds 10000 basis points. Here's a scenario demonstrating the issue:
Assume the current total fees in the fees
array sum up to 9000 basis points.
An attacker calls the addFee
function with _receiver
set to their own address and _feeBasisPoints
set to 2000.
The new fee is added to the fees
array, making the total fees 11000 basis points.
The function checks if the total fees exceed the limit and reverts with the FeesExceedLimit
error.
However, the invalid fee (2000 basis points) is still present in the fees
array.
To perform the total fees limit check after adding the new fee to the fees
array, It allows the fees
array to contain invalid fees that violate the limit, even though the function reverts.
If the fees
array contains invalid fees that cause the total to exceed the limit, it can affect the fee distribution process. The _splitRewards
function, which is responsible for splitting the rewards among the fee receivers, may distribute the rewards based on the invalid fees. This can result in incorrect allocation of rewards to the fee receivers.
Manual Review
The check for the total fees exceeding the limit should be performed before adding the new fee to the fees
array.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.