Adjusting protocol fee can retroactively change withdrawal amounts
Description:
When the protocol fee is changed via setProtocolFee(), it takes effect immediately and applies to the total amount withdrawn, regardless of whether the debt accrued before or after the fee change. Recipients withdrawing old debt can be charged the new, higher fee.
Summary:
An admin can initially set a low or 0% protocol fee to encourage higher volume, then once significant debt has accrued, raise the fee to the maximum 10% and collect outsized revenue on subsequent withdrawals, even though the debt originated under a lower-fee regime.
Vulnerability Details:
The _withdraw() function applies the current protocol fee indiscriminately:
An admin can exploit this in three steps:
Set protocol fee to 0% to drive adoption
Once high total debt accrued, raise fee to 10%
Collect excess revenue on subsequent withdrawals
Impact:
Recipients could lose up to 10% of expected payments. Excess fees accrue to the protocol admin, an improper transfer of wealth. While impact is bound by MAX_FEE, this could still be substantial for high-value streams. Severe reputational damage if the admin is seen abusing this.
Tools Used:
Manual code review
Recommendations:
Only apply fee changes prospectively, tracking fee at time debt incurred
Assess fees continuously over shorter windows for a blended effective rate
Require a time lock on fee hikes over a certain threshold to allow recipients to react
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.