Summary

A logical flaw exists in the governance fee calculation mechanism during user withdrawals. The protocol only charges fees when the withdrawal amount exceeds the initial deposit amount, ignoring gains from compounded returns or multiple deposits. This allows users to bypass fees by strategically splitting withdrawals, leading to protocol revenue loss.

Vulnerability Details

Affected Code

Root Cause

1. Simplistic Fee Trigger Condition:

   • Fees are only applied if amount > initial deposit, failing to account for:

     • Compounded Returns: Assets growing through reinvested profits.

     • Multiple Deposits: Users making successive deposits/withdrawals.

2. Profit Segmentation Exploit:

   • Users can withdraw profits incrementally (each portion ≤ initial deposit) to avoid triggering the fee condition.

Attack Scenario

1. Initial State:

   • User deposits 100 USDC. Assets grow to 200 USDC via investments.

2. Malicious Withdrawal Pattern:

   • Withdrawal 1: 100 USDC (equal to initial deposit → 0 fee).

   • Withdrawal 2: 100 USDC (protocol treats this as new withdrawal with no initial deposit record → 0 fee).

3. Result:

   • User extracts full 200 USDC (100% profit) without paying any governance fees.

Impact

• Protocol Revenue Loss: Fees are evaded on legitimate profits, directly reducing protocol income.

• Economic Incentive Distortion: Honest users subsidize fee-avoiding actors, creating unfair advantages.

• Scalability Risk: At scale, this could destabilize protocol treasury reserves.

• Reputational Damage: Users may lose trust in protocol's economic design rigor.

Tools Used

manual review