Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Platform fees are intermixed with generator/validator fees and cannot be claimed separately

goran

Summary

Oracle coordinator collects fees on every generation request. Those fees include:

platform fees (to be collected by the coordinator's owner)
generator fees
validator fees

Generators and validators will be selected to claim their rewards (out of fees) if their responses are close enough to the mean of responses. However the coordinator does not send out rewards to generators and validators directly, instead it increases the respective token allowances. Generators and validators have to then claim their rewards by calling transferFrom on the feeToken.

On the other hand, coordinator's owner is entitled to platform fees and generator/validator fees for which the generator and validators were not selected (ie. due to not good enough responses). The only way for owner to claim the fees is by calling the withdrawPlatformFees(). That's were the issue is - withdrawPlatformFees will send the ALL the tokens held by the coordinator, even if part of the tokens are entitled to generators/validators.

Here's a simple sequence of steps that can lead to this situation:

buyer agent issues oracle purchase request
generatorA responds
generatorB responds
validatorA validates
- validation is finalized, generatorA and validatorA become eligible for a reward. generatorB is not selected
generatorA claims its rewards
validatorA does not yet claim its rewards
owner wants to claim its rewards

At this point, owner has the following options, all of which are problematic:

owner calls withdrawPlatformFees() and receive its fees, but also effectively steals validatorA'a rewards
owner doesn't want to steal validatorA'a rewards, so they wait for validatorA to first claim their rewards. But owner can't know when and if ever validatorA will claim rewards

Vulnerability Details

Function withdrawPlatformFees implementation does not let coordinator's owner claim the platform fees separately from the generator/validator fees:

/// @notice Withdraw the platform fees & along with remaining fees within the contract.

function withdrawPlatformFees() public onlyOwner {

feeToken.transfer(owner(), feeToken.balanceOf(address(this)));

}

Impact

If the coordinator's owner wants to withdraw platform fees while not all of the generators/validators have claimed their fees, either owner steals the fees from generators/validators or owner is forced to wait (possibly indefinitely) for generators/validators to finish claiming their fees.

Tools Used

Manual review

Recommendations

Introduce separate accounting of platform fees and generators/validators fees.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`withdrawPlatformFees` withdraws the entire balance

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.