Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Unsafe Fee Withdrawal Mechanism Allows Owner to Claim Validator and Generator Rewards

aestheticbhai

Summary
The `LLMOracleCoordinator.sol` contract's `withdrawPlatformFees()`function allows the owner to withdraw the entire contract balance, including fees that rightfully belongs to the generators and validators of the protocol, potentially leading to loss of earned rewards for protocol participants

Vulnerability Details
By using the Function `withdrawPlatformFees()` https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/llm/LLMOracleCoordinator.sol#L375
The owner is intended to withdraw the platform fee, But it uses `feeToken.transfer(owner(), feeToken.balanceOf(address(this)));`

function withdrawPlatformFees() public onlyOwner {

feeToken.transfer(owner(), feeToken.balanceOf(address(this)));

}

This makes it impossbile for the owner to withdraw fees in a safe way that does not grief the generators and validators of the protocol who earn fee by using the function `respond`and `validate`(because the fees is not instantly transferred to the generators and validators instead it increases allowance of the generators and validators by using function `_increaseAllowance` https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/llm/LLMOracleCoordinator.sol#L396

/// Increases the allowance by setting the approval to the sum of the current allowance and the additional amount.

/// @param spender spender address

/// @param amount additional amount of allowance

function _increaseAllowance(address spender, uint256 amount) internal {

feeToken.approve(spender, feeToken.allowance(address(this), spender) + amount);

}

So due to this if a generator or validator have not yet used `transferfrom`and are just stacking up fee and before them claiming there rewards the owner uses `withdrawPlatformFees()`this makes the contract out of funds thus there is no amount left for the genrators and validators to claim from this contract

Impact
- Generators and validators can lose 100% of their unclaimed rewards if the owner withdraws before they execute `transferFrom`
- Since the vulnerability affects the entire contract balance, the potential loss is unbounded and scales with protocol usage
- Protocol's accounting system is effectively broken since allowances don't match available fund
- This Will impact the owner as well because as the owner is trusted they would not want to grief the protocols validators and generators so this creates a scenario that calling the function `withdrawPlatformFees`is never safe(as there will always be unclaimed rewards in the protocol) so the owner will hypothetically never be able to claim the platformfees without griefing the protocols validators and generators

Tools Used
Manual Analysis

Recommendations
Separate Accounting with Fee Tracking -
Track platform fees separately from participant rewards
Use dedicated storage variables for each type of fee
Implement separate withdrawal functions for each fee type
or Real-time Fee Distribution -
Distribute fees immediately when earned
Send platform fees directly to a collector address
Transfer participant rewards instantly instead of using allowances

Updates

Lead Judging Commences

inallhonesty Lead Judge

8 months ago

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`withdrawPlatformFees` withdraws the entire balance

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.