Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

StabilityBranch::fulfillSwap does not handle Remaining Swap Fee

i_atiq

Summary

The function fulfillSwap calculates the protocol's share of the swap fee using:

ctx.protocolSwapFeeX18 = ctx.swapFeeX18.mul(ud60x18(marketMakingEngineConfiguration.totalFeeRecipientsShares));

where totalFeeRecipientsShares cannot exceed 0.9e18 according to doc
This leaves at least 10% of swapFeeX18 unaccounted for. The remaining fee is not transferred, distributed, or accessible, leading to funds being permanently locked.

Vulnerability Details

The code assigns only a portion of the swap fee (swapFeeX18) to protocolSwapFeeX18:

ctx.protocolSwapFeeX18 = ctx.swapFeeX18.mul(ud60x18(marketMakingEngineConfiguration.totalFeeRecipientsShares));

  • totalFeeRecipientsShares is capped at 0.9e18, meaning maximum 90% of swapFeeX18 is accounted for.

  • The remaining swapFeeX18 (10% or more) is never transferred or distributed, resulting in a permanent lock.

  • This will lead to lost funds over time.

Impact

The unhandled portion of swapFeeX18 remains locked in the contract.

Recommendation

Either distribute the entire swapFeeX18 to fee recipients or save the remaining fee to vault's wethRewardDistribution after converting the asset to WETH

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!