Submission Details
Impact:
Likelihood:
Fee is charged from the wrong person
The fee is charged from the seller, which leads to less fund being received by him when a user buys an Order
Description
The seller expects to receive the same amount of tokens as in the order, however, due to fees being charged from him, he will receive less tokens that expected.
@> uint256 sellerReceives = order.priceInUSDC - protocolFee;
iUSDC.safeTransferFrom(msg.sender, address(this), protocolFee);
@> iUSDC.safeTransferFrom(msg.sender, order.seller, sellerReceives);
Risk
Likelihood:
This vulnerability will occur every time, since it is a core feature of the protocol
Impact:
The seller will receive less tokens than expected in the Order
Proof of Concept
The following PoC demonstrates the alice created an Order where she exepcts to receive 180_000e6 usdc buy the amount received is different.
function testIncorrectFeesLogic() public {
vm.startPrank(alice);
wbtc.approve(address(book), 2e8);
uint256 aliceId = book.createSellOrder(
address(wbtc),
2e8,
180_000e6,
2 days
);
vm.stopPrank();
vm.startPrank(dan);
usdc.approve(address(book), 200_000e6);
book.buyOrder(aliceId); // dan buys alice wbtc order
vm.stopPrank();
console2.log("Alice's balance: ", usdc.balanceOf(alice));
}
Logs:
Alice's balance: 174600000000
Recommended Mitigation
The fee should be charged from the buyer, so the seller will receive the expected amount of tokens
+ uint256 sellerReceives = order.priceInUSDC;
iUSDC.safeTransferFrom(msg.sender, address(this), protocolFee);
iUSDC.safeTransferFrom(msg.sender, order.seller, sellerReceives);
IERC20(order.tokenToSell).safeTransfer(msg.sender, order.amountToSell);
Rewards breakdown
nSLOC
217This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.