Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Round up protocol fee to 1 if its 0 #331

Closed
smol-ninja opened this issue Nov 11, 2024 · 2 comments
Closed

Round up protocol fee to 1 if its 0 #331

smol-ninja opened this issue Nov 11, 2024 · 2 comments
Assignees
@smol-ninja
Labels
effort: medium Default level of effort. priority: 0 Do this first before everything else. This is critical and nothing works without this. type: bug Something isn't working. work: clear Sense-categorize-respond. The relationship between cause and effect is clear.

Comments

@smol-ninja
Copy link
Member

smol-ninja commented Nov 11, 2024
edited
Loading

Reported in Codehawk audit, a user can bypass paying the protocol fee by withdrawing in smaller amounts such that 10% of it becomes 0. For example,

  • Withdraw amount: 9 tokens
  • Protocol fee: 10% becomes 0.9 = 0 in solidity

Thus, as a fix, round up the protocol fee to 1 token if the following conditions are met:

  1. withdraw amount > 0 AND
  2. protocol fee (10% of withdraw amount ) == 0

Note: Double check that the function reverts when withdraw amount is 0 so that users do not pay a fee of 1 token when there are no tokens to withdraw.
@smol-ninja smol-ninja added priority: 0 Do this first before everything else. This is critical and nothing works without this. effort: medium Default level of effort. type: bug Something isn't working. work: clear Sense-categorize-respond. The relationship between cause and effect is clear. labels Nov 11, 2024
@smol-ninja smol-ninja changed the title Apply a protocol fee of 1 when withdraw amount > 0 but protocol fee is 0 due to rounding offs Round up protocol fee to 1 if its 0 Nov 11, 2024
@smol-ninja smol-ninja self-assigned this Nov 11, 2024
@smol-ninja
Copy link
Member Author

The same issue exists in depositViaBroker as well. Should we deduct 1 there as well in case fee rounds down to zero (the same problem exists in lockup too)? Or should we ignore it and let broker manage it on their side (since deposit amount is in their control)?

@smol-ninja smol-ninja mentioned this issue Nov 11, 2024
Closed
@smol-ninja smol-ninja closed this as not planned Won't fix, can't repro, duplicate, stale Nov 12, 2024
@smol-ninja
Copy link
Member Author

#336 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@smol-ninja smol-ninja

Labels
effort: medium Default level of effort. priority: 0 Do this first before everything else. This is critical and nothing works without this. type: bug Something isn't working. work: clear Sense-categorize-respond. The relationship between cause and effect is clear.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: round up protocol fee if it rounds down to 0 sablier-labs/flow
1 participant
@smol-ninja