Flow

Summary

In the calculation of feeAmount, fee percentage is applied on the gross amount. As a result, effective feeAmount is overstated and netAmount is understated.

Vulnerability Details

Source: https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/libraries/Helpers.sol#L22

In Helpers::calculateAmountsFromFee function, total gross amount is multiplied to the fee percentage as below:

feeAmount = ud(totalAmount).mul(fee).intoUint128();

In this way the effective fee percentage is computed more than the actual fee percentage.

Let's consider below scenario for example:

totalAmount = 1000e6

fee = 0.1e18 --> 10%

In this case if we take the effective percentage of fee as the percentage of the amount, then it will be 100 * 100 / 900 = 11.11%, this is above the cap of MAX_FEE.

Impact

In case of withdraw, the debt is settled with the full amount (netAmount + protocolFee) whereas netAmount is transferred to recipient and protocolFee is added to protocolRevenue. As a result the withdrawn amount is understated and protocolFee is overstated.

In case of depositViaBroker the broker fee will be overstated and protocol balance will effectively be understated as a result coveredDebt and withdrawable amount will be understated as well.

Tools Used

Manual review

Recommendations

The netAmount and fee should be calculated as below:

Now the fee is effectively 10% approx.