Incorrect fee calculation may lead to borrower overpaying

Lines of code Vulnerability details Summary Fees are incorrectly snapshotted when a new lien is created, potentially leading to a fee overpay. Impact The Particle LAMM protocol tracks fees using the same internal tracking built in Uniswap V3. Positions in Uniswap V3 contain a couple of variables...

Unwrapping function emits event with incorrect values.

Lines of code Vulnerability details Impact The etherUnwrap function in the smart contract does not correctly emit the EtherUnwrap event. The issue arises when calculating and emitting the fee and transfer amounts. The current implementation deducts the fee, transfers the calculated amount, and...

Calculation Errors in calculateAndSendFee Function of OptionsPositionManager Contract

Lines of code Vulnerability details Bug Description In the OptionsPositionManager contract, specifically in the calculateAndSendFee function lines 365 to 367, there are several mathematical errors that impact the accuracy of the feeAmount result. These errors can lead to incorrect fee calculation...

Decimal is not correct in fee calculation

Lines of code Vulnerability details Impact The decimal doesn't match in the fee calculation, so this will break the fee calculation. Since fee calculation is very important in Mint/Burn actions, this problem can ruin the core functionality of transmuter. Proof of Concept This is the non-exact min...

CHANGEFEE IS NOT CORRECTLY SCALED IN FLASHLOAN()

Lines of code Vulnerability details Impact changeFee that has been scaled with 4 decimals of of basis points is being adopted by flashloan. This could make the function behave in an unexpected manner than intended. Proof of Concept The fee is calculated as: PrivatePool.solL632 uint256 fee =...

PrivatePool.change does not work with token with less than 4 decimals

Lines of code Vulnerability details PrivatePool.change does a call to changeFeeQuote to calculate the fee amount. It computes an exponent as ERC20baseToken.decimals - 4 File: src/PrivatePool.sol 731: function changeFeeQuoteuint256 inputAmount public view returns uint256 feeAmount, uint256...

Users wouldn't refund from the lost ETH crowdfunds due to the lack of ETH

Lines of code Vulnerability details Impact After the ETH crowdfunds are lost, contributors wouldn't refund their funds because the crowdfunds contract doesn't have enough ETH balance. Proof of Concept The core flaw is calculateRefundAmount might return more refund amount than the original...

Permanent freeze of yield when TokenSender rewards bank is depleted and deposit or withdraw is called.

Lines of code Vulnerability details Description In collateral deposit and withdraw flow, a fee is calculated as a percentage of user's requested amount. It is passed to the DepositHook and WithdrawHook, for example in deposit: uint256 amountAfterFee = amount - fee; if addressdepositHook != addres...

fee loss in AutoPxGmx and AutoPxGlp and reward loss in AutoPxGlp by calling PirexRewards.claim(pxGmx/pxGpl, AutoPx*) directly which transfers rewards to AutoPx* pool without compound logic get executed and fee calculation logic and pxGmx wouldn't be executed for those rewards

Lines of code Vulnerability details Impact Function compound in AutoPxGmx and AutoPxGlp contracts is for compounding pxGLP and additionally pxGMX rewards. it works by calling PirexGmx.claimpx, this to collect the rewards of the vault and then swap the received amount to calculate the reward,...

Attacker can steal entire reserves by abusing fee calculation

Lines of code Vulnerability details Description Similar to other LP pools, In Trader Joe users can call mint to provide liquidity and receive LP tokens, and burn to return their LP tokens in exchange for underlying assets. Users collect fees using collectFessaccount,binID. Fees are implemented...

Wrong implementation of function LBPair.setFeeParameter can break the funcionality of LBPair and make user's tokens locked

Lines of code Vulnerability details Vulnerable detail Struct FeeParameters contains 12 fields as follows: struct FeeParameters // 144 lowest bits in slot uint16 binStep; uint16 baseFactor; uint16 filterPeriod; uint16 decayPeriod; uint16 reductionFactor; uint24 variableFeeControl; uint16...

fee could round down to 0

Lines of code Vulnerability details Impact fee and memberSupply calculation will be inaccurate. Proof of Concept // contracts/distribution/TokenDistributor.sol 352-353: uint128 fee = supply args.feeBps / 1e4; uint128 memberSupply = supply - fee; When supply is low, fee could round down to 0, whic...

Inaccurate fee calculation

Lines of code Vulnerability details Impact The equation in the calculateFee function has a high degree of inaccuracy Solidity use integers, when divide an uint256 for other uint256 the divition take the floor number and ignore the decimal part In example: a = 1999 ETH feenominator = 1000 the retu...

Wrong fee calculation between Router & Market

Lines of code Vulnerability details Impact The wrong fee calculation can cause a loss to users' fund and this loss will be stuck in RubiconRouter Proof of Concept We have the default $feeBPS = 20, BPS = 10000$ Let's assume that alice call RubiconRouter.swappayamt=1000000 Through router, alice wil...

Multi-hop routes will leave a dust trail

Lines of code Vulnerability details Impact By calling RubiconMarket.buyid, quantity as a consequence of L239 and L241 with quantity = currentAmount - currentAmount expectedMarketFeeBPS / 10000 ...the fee calculated by the buy function amounts to: currentAmount - currentAmount expectedMarketFeeBPS...

maxFee is not checked against a max value while being updated

187 comment Warden: catchup Lines of code Vulnerability details changeFee maxFee should be checked against a maximum value like 10% to make sure it is not set too high by mistake. Impact maxFee can be set beyond limits which would mess up fee calculations. Proof of Concept getTransferFee function...

[WP-M17] Vault.sol Tokens with fee on transfer are not supported

Handle WatchPug Vulnerability details There are ERC20 tokens that charge fee for every transfer / transferFrom. Vault.soladdValue assumes that the received amount is the same as the transfer amount, and uses it to calculate attributions, balance amounts, etc. While the actual transferred amount c...

investedAssets ignores fees and can cause insolvency

Handle danb Vulnerability details investedAssets doesn't substract the fees owed to the treasury, this makes the system think that it has more than it really has. Proof of Concept consider the following scenario: perfFeePct is 20%. the system generated 1M dollars yield in aust that it didn't rede...

Fee calculation is slightly off

Handle gzeon Vulnerability details Impact The fee calculation uint256 timeDiff = block.timestamp - lastFee; uint256 feePct = timeDiff licenseFee / ONEYEAR; uint256 fee = startSupply feePct / BASE - feePct; tries to calculate a fee such that fee/supply+fee = %fee using a simple interest formula i....

Basket:handleFees(): fees are overcharged

Handle GiveMeTestEther Vulnerability details Impact The fee calculation is based on the totalSupply of the basket token. But some amount of the totalSupply represents the fees paid to the publisher/ protocol owner. Therefore the fees are "overcharged": because the fee amount is calculated on a pa...