Lucene search

K
code423n4Code4renaCODE423N4:2022-12-PREPO-FINDINGS-ISSUES-264
HistoryDec 12, 2022 - 12:00 a.m.

Irrelevant error message from PrePOMarket.redeem() worries users

2022-12-1200:00:00
Code4rena
github.com
9
prepomarket
error messages
redemption fee
vulnerability
user worry
assets control
error message improvement
minimum redemption amount
fee strategies

Lines of code

Vulnerability details

Impact

Users may receive error messages fee = 0 whenever making a redemption from PrePOMarket contract if the redemption amout is not enough. The error message is irrelevant to users. It’s related to the protocol processing the redemption. If a user receives multiple such messages, it may worry the user who has no idea what’s happening. Users may suspect if their assets are still under their control.

Proof of Concept

Assume: the user has sufficient balance of assets for redemption. finalLongPayout > MAX_PAYOUT; FEE_DENOMINATOR = 1000000; redemptionFee = 100. The user call redeem(_amount, _amount):

  • when _amount = 100, fail with fee = 0 error
  • when _amount = 1000, fail with fee = 0 error
  • when _amount = 5000, fail with fee = 0 error
  • when _amount = 10000, succeed.

Tools Used

N/A

Recommended Mitigation Steps

Improve the error message that should include actual reasons of transaction fail, and the required minmum amount of redemption.
Or, implement some other fee strategies.


The text was updated successfully, but these errors were encountered:

All reactions