Fee transfer in `collectUsdcFromSelling` is a self-transfer no-op — fees never isolated
Root + Impact
Description
Line 181 executes
usdc.safeTransfer(address(this), fees)— the contract sends USDC to itself, which is a no-op. Fees are tracked only viatotalFeesCollectedbut never separated from user funds.
Risk
Likelihood:
Executes on every call to
collectUsdcFromSelling
Impact:
Wasted gas. No ring-fenced fee balance —
withdrawFees()draws from the same pool as user collateral
Proof of Concept
Calling collectUsdcFromSelling triggers usdc.safeTransfer(address(this), fees) which transfers USDC from the contract to itself — a no-op that costs gas. The contract balance does not change from this call; only the subsequent safeTransfer(msg.sender, amountToSeller) moves funds.
Recommended Mitigation
Remove the self-transfer. The fee accounting via totalFeesCollected is sufficient since the contract already retains fees worth of USDC by only sending price - fees + collateral to the seller.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.