Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`withdrawPlatformFees` withdraws fees for generators and validators too

pyro

Summary

withdrawPlatformFees withdraws fees for generators and validators too, preventing them from claiming the fees in the future.

Vulnerability Details

Even thought withdrawPlatformFees has onlyOwner on it, the function is hardcoded to extract too much tokens from the contract, meaning that even under normal use (not malicious) the function would misbehave and extract all of the fee tokens.

function withdrawPlatformFees() public onlyOwner {
feeToken.transfer(owner(), feeToken.balanceOf(address(this)));
}

That is dangerous as it will transfer always some tokens that have been allocated to generators and validators when they have executed their jobs.

function respond(uint256 taskId, uint256 nonce, bytes calldata output, bytes calldata metadata) public {
...
// send rewards to the generator if there is no validation
if (task.parameters.numValidations == 0) {
_increaseAllowance(msg.sender, task.generatorFee);
}
function _increaseAllowance(address spender, uint256 amount) internal {
feeToken.approve(spender, feeToken.allowance(address(this), spender) + amount);
}

The main issue happens as we only approve feeToken to be taken away from the validator, but call feeToken.balanceOf(address(this)) inside withdrawPlatformFees.

Impact

Contract will lack the funds to pay it's users - aka. loss of funds

Tools Used

Manual review

Recommendations

Have a variable to track platform fees and transfer only it's amount inside withdrawPlatformFees.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`withdrawPlatformFees` withdraws the entire balance

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.