You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary
The boost creator can set the value of referralFee to 9_000 when creating the boost. The BoostCore::referralFee (the base fee) is set to 1000 in line 70,
This will make the BoostCore::referralFee to be 10_000 (equal to the BoostCore::FEE_DENOMINATOR) ensuring that 100% of the fees collected when claimants claim their incentives are sent to the referrer address. To get the fees, the boost creator just need to ensure claimants use his address as referrer_ address. The protocol will never receive any fee for this particular boost.
Expected Behavior
No response
Steps To Reproduce
Root Cause
Maximum value for BoostCore::referralFee was not set, allowing boost creators to allocate unlimited fraction of the fees to the referrer.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
The protocol will receive no fees as all the fees will continuously be sent to the referrer_ address.
PoC
Please copy the code below into BoostCore.t.sol and run the test.
Is there an existing issue for this?
Package Version
0.0.0-alpha.12
Current Behavior
Summary
The boost creator can set the value of referralFee to 9_000 when creating the boost. The BoostCore::referralFee (the base fee) is set to 1000 in line 70,
https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L70
and added to the boost creator input in line 122,
https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L122
This will make the BoostCore::referralFee to be 10_000 (equal to the BoostCore::FEE_DENOMINATOR) ensuring that 100% of the fees collected when claimants claim their incentives are sent to the referrer address. To get the fees, the boost creator just need to ensure claimants use his address as referrer_ address. The protocol will never receive any fee for this particular boost.
Expected Behavior
No response
Steps To Reproduce
Root Cause
Maximum value for BoostCore::referralFee was not set, allowing boost creators to allocate unlimited fraction of the fees to the referrer.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
The protocol will receive no fees as all the fees will continuously be sent to the referrer_ address.
PoC
Please copy the code below into BoostCore.t.sol and run the test.
Mitigation
Set a maximum value for BoostCore::referralFee and refactor BoostCore::createBoost as shown below.
Link to Minimal Reproducible Example (StackBlitz, CodeSandbox, GitHub repo etc.)
sherlock-audit/2024-06-boost-aa-wallet-judging#158
Anything else?
No response
The text was updated successfully, but these errors were encountered: