Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

[L-01] Lack of Validation on Deposit and Redeem Fees in Create Function

jakefromstatefarm

Summary

The create function does not restrict depositFee or redeemFee, allowing the creation of vaults with fees at 100% or higher. This configuration effectively prevents users from depositing or redeeming, damaging user trust and rendering the vault unusable.

Vulnerability Details

Vault creation parameters include depositFee and redeemFee with no upper bound. The absence of validation breaks reasonable economic assumptions by permitting fees that fully capture user funds on deposit or withdrawal. Malicious or careless configuration can set these fees to 100% or more, causing deposits to yield nothing or redeems to burn the entire withdrawal. This issue materializes when the create function is called with extreme fee values, imposing a direct barrier to normal vault operations.

function create(CreateParams memory params) internal {

Data storage self = load(params.vaultId);

if (self.id != 0) {

revert Errors.VaultAlreadyExists(params.vaultId);

}

// No validation checks are performed on depositFee or redeemFee here

self.id = params.vaultId;

self.depositCap = params.depositCap;

self.withdrawalDelay = params.withdrawalDelay;

self.indexToken = params.indexToken;

self.collateral = params.collateral;

self.depositFee = params.depositFee; // <-- Unbounded assignment

self.redeemFee = params.redeemFee; // <-- Unbounded assignment

self.engine = params.engine;

self.isLive = true;

}

Impact

Low

A 100% (or higher) fee halts user participation by nullifying deposits or redeems. This undermines core functionality, drives away liquidity, and erodes confidence in the vault, justifying a Low severity classification from a security standpoint but a clear design flaw that still harms the user experience.

Call the create function with params.depositFee = 1e18 (representing 100%) and params.redeemFee = 1e18.

Deploy the vault with these parameters.
Subsequent user deposits become entirely subject to the fee, rendering them worthless, and redemption similarly becomes impossible for users wishing to withdraw any value.

Recommendations

Enforce upper limits on the fee parameters:

require(params.depositFee <= 0.5e18, "Deposit fee too high");

require(params.redeemFee <= 0.5e18, "Redeem fee too high");

This mechanism guarantees fees remain within acceptable economic constraints, prevents destructive vault configurations, and preserves a functional environment for end users.

Updates

Lead Judging Commences

inallhonesty Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.