There is an Incorrect Fee Validation in the `TokenDivider.sol::buyOrder` Function which will Cause Errors in Fee Distribution Between Seller and Contract Owner
Summary
In the buyOrder function of the TokenDivider contract, the validation for msg.value checks only the seller's portion of the fee (sellerFee) but fails to account for the full platform fee (fee). This oversight could lead to insufficient fees being sent for proper distribution between the seller and the contract owner, resulting in unexpected behavior or failed transactions.
Vulnerability Details
The buyOrder function performs the following key actions:
Validates that the buyer sends enough Ether to cover the price of the order and the seller's portion of the fee (
sellerFee).Distributes Ether between the seller (
order.seller) and the contract owner (owner()).
The issue lies in this part of the code:
This validation only ensures that the buyer covers the order price and the seller's portion of the fee (sellerFee). It does not include the full fee, which consists of both sellerFee and the remaining platform fee sent to the owner(). As a result:
The buyer could send less Ether than required to cover the full distribution.
The taxSuccess transfer to owner() might fail due to insufficient funds.
Impact
The transfer to owner() could fail, leading to unclaimed platform fees.
Tools Used
Manual code review
Recommendations
To resolve this issue:
Update the fee validation to include the entire platform fee:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.