Back to ShippooorDAO's contests

Nested Finance contest - ShippooorDAO's results

The one-stop Defi app to build, manage and monetize your portfolio.

General Information

Platform: Code4rena

Start Date: 10/02/2022

Pot Size: $30,000 USDC

Total HM: 5

Participants: 24

Period: 3 days

Judge: harleythedog

Total Solo HM: 3

Id: 86

League: ETH

Nested Finance

Findings Distribution

Researcher Performance

Rank: 15/24

Findings: 2

Award: $160.19

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNested Finance

Findings Information

🌟 Selected for report: pauliax

Also found by: 0xliumin, Dravee, GreyArt, IllIllI, Omik, ShippooorDAO, WatchPug, bobi, csanuragjain, gzeon, kenzo, rfa, robee, samruna

Labels

bug
enhancement
QA (Quality Assurance)

Awards

84.6193 USDC - $84.62

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-02-nested/blob/main/contracts/FeeSplitter.sol

Vulnerability details

Impact

Fee distributions can be changed unilaterally at the expense of Nested portfolio creator.

Proof of Concept

Case 1

  1. Assuming an initial entry/exit fee distribution as per documentation (50% treasury, 30% buybacks, 20% royalties)
  2. User creates a portfolio, assuming 0.2% royalties on copy and exit.
  3. A substantial amount of users copy the portfolio, totalling 100M in AUM. The portfolio creator receives fees on entry (100M * 0.2% = 200k) and expects the same amount on exit.
  4. Governance unilateraly change the split balance to send 100% of the fees to the protocol's treasury, leaving 0% to the portfolio creator.
  5. Portfolio creator doesn't get expected royalties on exit.

Case 2

  1. Assuming an initial entry/exit fee distribution as per documentation (50% treasury, 30% buybacks, 20% royalties)
  2. User creates a portfolio, assuming 0.2% royalties on copy and exit. User locks up his NFT for 3 years
  3. A substantial amount of users copy the portfolio, totalling 100M in AUM. The portfolio creator receives fees on entry (100M * 0.2% = 200k) and expects the same amount on exit.
  4. Governance unilateraly change the split balance to send 100% of the fees to the protocol's treasury, leaving 0% to the portfolio creator.
  5. ** Portfolio creator is locked up for 3 years and doesn't receive any royalties for any copy or exit.**

Tools Used

Manual audit

Lock fees for the duration of the portfolio. Any future fee split change should not affect an already existing NFT.

#0 - maximebrugel

2022-02-11T14:32:03Z

This is more "a request" and not a vulnerability. This mechanism is intentional.

#1 - harleythedogC4

2022-02-27T16:53:34Z

Agree with the sponsor that this isn't an actual vulnerability. The portfolio creator still keeps their previously accumulated fees if the fee distribution changes, its just that any new calls to _sendFees will not send as many tokens for royalties as it did before. I am going to mark this as low severity.

#2 - harleythedogC4

2022-03-03T01:31:29Z

(Now considering as a QA report) My personal judgements:

  1. "Fee distributions can be changed uniterally". I will assign this as Valid and non-critical.

#3 - harleythedogC4

2022-03-03T02:29:00Z

Now, here is the methodology I used for calculating a score for each QA report. I first assigned each submission to be either non-critical (1 point), very-low-critical (5 points) or low-critical (10 points), depending on how severe/useful the issue is. The score of a QA report is the sum of these points, divided by the maximum number of points achieved by a QA report. This maximum number was 26 points, achieved by https://github.com/code-423n4/2022-02-nested-findings/issues/66.

The number of points achieved by this report is 1points. Thus the final score of this QA report is (1/26)*100 = 4.

#4 - CloudEllie

2022-03-24T15:42:25Z

Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency.

The original title, for the record, was "Fee distributions can be changed unilaterally."

Findings Information

🌟 Selected for report: pauliax

Also found by: 0x1f8b, Dravee, GreyArt, Omik, ShippooorDAO, Tomio, bobi, cmichel, csanuragjain, defsec, gzeon, kenta, kenzo, m_smirnova2020, rfa, robee, sirhashalot, ye0lde

Awards

75.5694 USDC - $75.57

Labels

bug
duplicate
G (Gas Optimization)

External Links

Link to GitHub issue
  • FeeSplitter.ETH variable is unused and can be removed link

#0 - maximebrugel

2022-02-18T17:46:43Z

Duplicated https://github.com/code-423n4/2022-02-nested-findings/issues/15

#1 - harleythedogC4

2022-03-13T03:23:38Z

My personal judgment: Valid and small-optimization

#2 - harleythedogC4

2022-03-13T06:19:53Z

Now, here is the methodology I used for calculating a score for each gas report. I first assigned each submission to be either small-optimization (1 point), medium-optimization (5 points) or large-optimization (10 points), depending on how useful the optimization is. The score of a gas report is the sum of these points, divided by the maximum number of points achieved by a gas report. This maximum number was 10 points, achieved by #67.

The number of points achieved by this report is 1 points. Thus the final score of this gas report is (1/10)*100 = 10.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter