Wrong protocol swap fee calculation results in overcharging of fees
Summary
A critical calculation error in the swap protocol fee computation (StabilityBranch::L396) leads to massive overcharging of protocol fees by multiplying the swap fee by the total shares instead of the protocol's proportional share.
Vulnerability Details
The function calculating protocol fees incorrectly multiplies the swap fee by the total fee recipient shares instead of calculating the protocol's proportional share. This results in protocol fees being orders of magnitude larger than intended.
The calculation should instead be:
Impact
The calculated amount is used in MarketMakingEngineConfiguration::distributeProtocolAssetRewardin order to transfer the reward to the fee recipient. Given the incorrect calculation above, the amount will be taken from the contract balance, jeopardizing the protocol's health and increasing its risk of insolvency.
Proof of concept
Consider the following scenario:
fulfillSwap is called in order to swap 1000 USDC for WETH. Given a swap fee percentage of 0.1%, a total of 1 USDC should be deducted from assetsOut to be distributed to fee recipients.
Let's assume there are in total 1000 shares.
With the calculation currently implemented, instead of 1 USDC, 1*1000 = 1000 USDC will be transferred to fee recipients.
As the user has only put 1000 USDC in, which were already swapped for WETH, the funds for the inflated fees will come from the protocol's balance. This can very quickly escalate and drain the protocol's reserves.
Tools Used
Manual Review
Recommendations
Replace the relevant line with the correct calculation from above.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.