Vader Protocol contest - shri4net's results

Handle

shri4net

Vulnerability details

Impact

Unintended Fee is charged to user while using 'leave' function in XVader.sol as part of the voting/governance.

Proof of Concept

Ref contracts/x-vader/XVader.sol, function leave Ref contracts/tokens/Vader.sol, function _transfer

Example, User locks 100 vader and mints xVader shares via the enter function. Later on, user will Claim back the Vader via the leave function. During the leave, user gets less than 100 Vader, due to the tax being computed and substracted from the locked amount.

File : contracts/x-vader/XVader.sol 50 function leave(uint256 _shares) external { .. // Gets the amount of xVader in existence .. uint256 totalShares = totalSupply(); .. // Calculates the amount of vader the xVader is worth .. uint256 vaderAmount = ( .. _shares * vader.balanceOf(address(this)) .. ) / totalShares; .. .. _burn(msg.sender, _shares); 59 vader.transfer(msg.sender, vaderAmount); .. }

Comment: Since xVader is not in untaxed bracket, the amount transferred back will be tax deducted.

File : contracts/tokens/Vader.sol 250 function _transfer( ... address sender, ... address recipient, ... uint256 amount ... ) internal override { ... if (untaxed[msg.sender]) ... return ERC20._transfer(sender, recipient, amount); ... ... uint256 fee = calculateFee(); ... ... uint256 tax = (amount * fee) / _MAX_BASIS_POINTS; ... 262 amount -= tax; ... ... _burn(sender, tax); ... ... ERC20._transfer(sender, recipient, amount); ... }

Tools Used

Manual code review and unit test of issue

Recommended Mitigation Steps

Add the XVader contract address also to the untaxed[] along with _vest, etc., in function setComponents

Modified code snippet (line 148) : function setComponents( ..., XVader _xvader, // To be added ... ) external onlyOwner { .... untaxed[address(_xvader)] = true; // To be added