HardhatDeFi
15,000 USDC
View results
Submission Details
Severity: medium
Invalid

Donater do not know exact DIVA protocol fees, when creates contingent pool

Summary

When donater creates pool ( createContingentPool ), he could not specify diva's fee, which will be comfortable for him. Fee could be changed in DIVA protocol, despite of 60 delay. Diva's fee could be important for user, because when he creates pool, he send his money to diva's wrapper. And fee will be charged from his money, if he will decide take them back.

Vulnerability Details

Diva protocol charge fee, when donater try to receive his money back. When Diva's owner would like to change fee, he calls uppdateFees() in Diva protocol. (https://github.com/divaprotocol/diva-protocol-v1/blob/main/DOCUMENTATION.md#updatefees). But change has 60 days delay. Only after 60 days, they will apply automaticaly. But user could send tx before new fees apply and tx will be long in mempool and will executed already when new fees in diva protocol has applied.

Example:

  • Current fees - 1%

  • Owner call updateFees to 2%

  • 59 days have passed from previous step.

  • User check current fees in diva protocol and values are OK for him.

  • User call wrapper.createContingentPool()

  • User's tx in mempool was too long

  • New fees have applied in diva protocol

  • User's tx has been executed with NEW fees.

Impact

User could not be sure, which fees will be in pool, which he creates. Fees could be not comfortable for him.

Tools Used

Manual review

Recommendations

Allow donater to specify pool fee, or range of values, when he calls createContingentPool().

Updates

Lead Judging Commences

bube Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

sovaslava Submitter
5 months ago
bube Lead Judge
5 months ago
bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.