Fees are taken on risk collateral #44
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
edited-by-warden
selected for report
This submission will be included/highlighted in the audit report
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Comments
code423n4
added
2 (Med Risk)
code423n4
changed the title
liveactionllama
added
sponsor disputed
|
Agree with the warden. If the withdrawal fee exceeds the premium paid, risk users are disincentivised to provide collateral.
Not sure if the warden is referring to the fee as the trading fee |
HickupHH3
added
the
selected for report
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/ac3e86f07bc2f1f51148d2265cc897e8b494adf7/src/Vault.sol#L203-L234
Vulnerability details
Impact
Fees are taken on funds deposited as collateral
Proof of Concept
In L226 of Vault.sol#withdraw the fee is taken on the entire collateral deposited by the risk users. This is problematic for two reasons. The first is that the collateral provided by the risk users will likely be many many times higher than the premium being paid by the hedge users. This will create a strong disincentive to use the protocol because it is likely a large portion of the profits will be taking by fees and the risk user may unexpectedly lose funds overall if premiums are too low.
The second issue is that this method of fees directly contradicts project documents which clearly indicate that fees are only taken on the premium and insurance payouts, not when risk users are receiving their collateral back.
Tools Used
Recommended Mitigation Steps
Fee calculations should be restructured to only take fees on premiums and insurance payouts
The text was updated successfully, but these errors were encountered: