Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Untracked Platform Fees Results In Misappropriated Liquidity

auditweiler

Summary

It is not possible to collect platform fees without inadvertently stealing token capital owed to protocol users.

Vulnerability Details

The LLMOracleCoordinator exports a function which enables the protocol owner to collect due revenue accrued from request fees and failed consensus outliers:

/// @notice Withdraw the platform fees & along with remaining fees within the contract.

function withdrawPlatformFees() public onlyOwner {

feeToken.transfer(owner(), feeToken.balanceOf(address(this)));

}

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L374C5-L377C6

First, note that this function will unconditionally withdraw all feeTokens from the contract.

This implementation is problematic, since alongside withdrawing the owner's due feeTokens, this will also withdraw all tokens on the contract which are reserved for users:

function _increaseAllowance(address spender, uint256 amount) internal {

feeToken.approve(spender, feeToken.allowance(address(this), spender) + amount);

}

https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/llm/LLMOracleCoordinator.sol#L396C5-L398C6

Notice that _increaseAllowance (used for issuing rewards and refunds to protocol participants) also deals in feeToken.

As shown via the calls to _increaseAllowance, the LLMOracleCoordinator works explicitly using token approvals to protocol users when distributing rewards. These users are given the right to spend their due token allowance from the contract, but the tokens themselves are not actually pushed; this is done at the user's convenience.

Consequently, it is unavoidable that any tokens approved for protocols users thaat remain on the contract will be inadvertently withdrawn during a call to withdrawPlatformFees. It is not possible for the owner to collect their due revenue in any capacity without risking interference with user distribution.

Impact

Either the protocol is left unable to accrue their due fees (to avoid service disruption), or the inadvertent theft of user rewards (which would need to be manually indxed and redistributed by the protocol owner).

Tools Used

Manual Review

Recommendations

There are two possible remediations:

The least invasive fix would be to allow the owner to specify an amount to withdraw when calling withdrawPlatformFees. This would at least allow the contract owner to specify the correct number of tokens to withdraw from the contract without inadvertently collecting user tokens.
Use internal accounting for accrued protocol fees and only withdraw these.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`withdrawPlatformFees` withdraws the entire balance

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.