Skip to content

Latest commit

 

History

History
75 lines (45 loc) · 2.62 KB

062.md

File metadata and controls

75 lines (45 loc) · 2.62 KB

Slow Tan Swallow

Medium

Buy fee is much higher than sell fee, causing a discrepency

Summary

Buy fees are taken before the purchase (on the total amount)

https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L959-L961

  function _calculateBuy(Market memory market, bool isPositive, uint256 funds){
    uint256 fundsAvailable;
    (fundsAvailable, protocolFee, donation) = previewFees(funds, true);

    uint256 votePrice = _calcVotePrice(market, isPositive);

Where as sell fees are taken from the amount sold: https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L1041-L1045

  function _calculateSell(Market memory market, uint256 profileId, bool isPositive, uint256 amount){
    // ...

    (fundsReceived, protocolFee, ) = previewFees(fundsReceived, false);
    minPrice = votePrice;

    return (votesSold, fundsReceived, votePrice, protocolFee, minPrice, maxPrice);
  }

It seems logical that sell fees are charging only what is sold, but why then buy fees should charge on the total amount used to buy, and not only on the stuff bought ?

Here is an example to illustrate the point further: Fees are 10% for both buy and sell (makes math easy)

  1. Alice want to sell her expensive vote and she does so for 6 ETH, paying 0.6 ETH as a fee
  2. Bob wants to buy an expensive vote, so he sends 10 ETH, however the vote costs 6 ETH
  3. Bob pays 1 ETH as fees and gets a vote that cost 6 ETH, 7 ETH spend in total

The difference here is that Bob spend 1 ETH in fees, where as Alice only 0.6, which is about 40% difference. In this example the votes are expensive, however even in normal cases where votes are cheap buyers will still pay a bigger fee than the one they should.

If a buyer buys 5 votes for 0.5 ETH and he knows that the fee is 10%, but gets charged 0.06 or 0.07 ETH fee then he would not wanna participate any further.

Root Cause

Buy fee being charged on the total amount instead on the one used to buy the actual votes.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

Inside the summary

Impact

Buys will pay higher fees than sellers, even thought the fees should be the same.

This will disincentivize buying as if a buyer buys 5 votes for 0.5 ETH and he knows that the fee is 10%, but gets charged 0.06 or 0.07 ETH fee then he would not wanna participate any further.

PoC

No response

Mitigation

Consider taking the fee on the amount bought and returning the rest in order to fix this discrepancy.