Vanguard
First Flight #56
Beginner FriendlyDeFiFoundry
0 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: medium

Dynamic Fee Override Can Reach 100%

Author Revealed upon completion

Dynamic Fee override can reach 100% causing an economic denial of service

Description

  • Dynamic fees are intended to discourage certain behaviors while still allowing trading.

  • The constructor allows phasePenaltyBps to be set up to 10,000 bps (100%), meaning a swap can be fully consumed by fees. While intentional, this creates an economic denial-of-service scenario where users can trade but receive effectively zero output.

if (_phase1PenaltyBps > 10000 || _phase2PenaltyBps > 10000) revert InvalidConstructorParams();
// @> 10000 bps (100%) is allowed

Risk

Likelihood:

  • Occurs when deployer sets extreme penalty values

  • Common in adversarial or poorly configured deployments

Impact:

  • Users unknowingly lose entire swap value

  • Frontends may not properly warn users

  • Market becomes unusable during early phases

Proof of Concept

  1. Bot controls 100 EOAs

  2. Each EOA swaps below maxSwapAmount

  3. Cooldown and limits never trigger

  4. Bot acquires large position while paying minimal penalties

Recommended Mitigation

Add a maximum penalty bps and revert when exceeded.

+ uint256 constant MAX_PENALTY_BPS = 9_900; // 99%
- if (_phase1PenaltyBps > 10000 || _phase2PenaltyBps > MAX_PENALTY_BPS) {
+ if (_phase1PenaltyBps > MAX_PENALTY_BPS || _phase2PenaltyBps > MAX_PENALTY_BPS) {
+ revert InvalidConstructorParams();
+ }

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!