Skip to content

Latest commit

 

History

History
43 lines (24 loc) · 1.42 KB

083.md

File metadata and controls

43 lines (24 loc) · 1.42 KB

Cheesy Cinnabar Mammoth

High

Vote buyers get overcharged when a non-zero protocol fee is set

Summary

The README state "Maximum total fees cannot exceed 10%", however, this isn't true. When a user calls buyVotes(), they should be charged the protocol fee of entryProtocolFeeBasisPoints on the amount they pay for in votes. However, the protocol fee is charged on the amount the user sends in, NOT on the amount they end up paying.

Root Cause

The protocol fee is being applied to the msg.value amount funds, instead of to the actual amount the user is to pay for the votes they purchased.

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L960

Internal pre-conditions

  1. A non zero entryProtocolFeeBasisPoints is set

External pre-conditions

  1. A user calls buyVotes() with a msg.value amount that is greater than the actual amount they end up paying.

Attack Path

  1. Market is created
  2. User calls buyVotes()
  3. The amount they actually have to pay is less than the msg.value amount
  4. They get charged the protocol fee on the msg.value amount rather than the amount they paid for
  5. They get refunded any amount they didn't use, but still paid the protocol fee on that amount.

Impact

Users buying votes get overcharged in protocol fee

PoC

No response

Mitigation

Apply the fee to the fundsPaid, not the msg.value amount.