Cheesy Cinnabar Mammoth
High
When a user calls buyVotes() on a market, the marketFunds state variable incorrectly tracks funds by including protocol fees and donations in its total, leading to an over-withdrawal when markets are graduated. While protocol fees are immediately sent to protocolFeeAddress and donations are tracked in donationEscrow, these amounts remain counted in marketFunds. This double counting causes the protocol to withdraw more funds than it should when calling withdrawGraduatedMarketFunds().
In the _calculateBuy() function, fees and donations are added to fundsPaid, rather than just the amount paid for votes:
https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L978
Then in buyVotes(), marketFunds is increased by fundsPaid:
https://github.com/sherlock-audit/2024-11-ethos-network-ii/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L481
- At least the protocol fee or donation fee is non-zero
- Market is graduated
withdrawGraduatedMarketFundsis called
- 2 or more markets are created
- Votes are purchases for 2 or more markets
- A market is created
- A user calls
buyVotes()to buy votes for that market.marketFundsis increased by the amount the user paid for votes + the protocol fee + the donation amount. Fees are sent to the protocol and donations are updated. - The donation recipient calls
withdrawDonationsto withdraw their donations. - The protocol graduates the market and then calls
withdrawGraduatedMarketFundswhich withdraws not just the amount the user paid for votes, but also the protocol fee and donations again.
Loss of funds since protocol fee and donations are being double counted.
No response
Don't include the protocol fee and the donation amount when updating marketFunds