Configuring fee recipient on Market Making Engine will revert when the new value is lower than the original one
Summary
The configureFeeRecipient function in MarketMakingEngineConfigurationBranch incorrectly checks total fee shares when reducing a recipient's allocation, causing legitimate share reduction operations to revert when shares are near the maximum limit.
Vulnerability Details
In MarketMakingEngineConfigurationBranch::configureFeeRecipient, the function validates the total shares after configuration would not exceed MAX_CONFIGURABLE_PROTOCOL_FEE_SHARES. However, the check fails to account for the fact that reducing a recipient's share allocation should always be allowed as it decreases the total shares.
The problematic check MarketMakingEngineConfigurationBranch:L625-L627
Impact
If the protocol fee shares is fully utilized, it's not possible to lower any fee recipient's share allocation. The protocol administrators lose the ability to manage share distributions.
Proof of concept
Consider the following scenario:
address(Alice) currently receives a share of 0.05e18
Constants.MAX_CONFIGURABLE_PROTOCOL_FEE_SHARES = 0.9e18;
marketMakingEngineConfiguration.totalFeeRecipientShares = 0.89e18;
We call the function configureFeeRecipient(address(Alice),0.012e18);
This means that we are lowering the allocation of Alice from 0.05e18 to 0.012e18, which should be permitted
As 0.89e18 + 0.012e18 > 0.9e18evaluates to true, the function will revert, even though the action should be permitted.
Tools Used
Manual Review
Recommendations
Modify the share validation to account for the recipient's current allocation
Lead Judging Commences
MarketMakingEngineConfigurationBranch::configureFeeRecipient can cause DOS when attempting to change share value of an existing address
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.