Skip to content

Latest commit

 

History

History
43 lines (31 loc) · 1.59 KB

045.md

File metadata and controls

43 lines (31 loc) · 1.59 KB

Tiny Mulberry Buffalo

Medium

Sell slippage is applied before fees

Summary

When selling, the user specifies a minimumVotePrice - this is the minimum average price they're willing to sell their votes at.

    (uint256 proceedsBeforeFees, uint256 protocolFee, uint256 proceedsAfterFees) = _calculateSell(
      markets[profileId],
      profileId,
      isPositive,
      votesToSell
    );

    uint256 pricePerVote = votesToSell > 0 ? proceedsBeforeFees / votesToSell : 0;
    if (pricePerVote < minimumVotePrice) {
      revert SellSlippageLimitExceeded(minimumVotePrice, pricePerVote);
    }

As we can see however, the actual pricePerVote is calculated using proceedsBeforeFees, which does not have the protocol fees deducted. As a result, the user's slippage is applied before the protocol takes their fees and the user can still receive less funds than what they've explicitly specified.

Root Cause

Wrong logic

Attack Path

  1. User wishes to sell 10 votes and sets minimumVotePrice to 0.1 ETH.
  2. The total vote price before fees is calculated to 1.01 ETH. As 0.101 > 0.1 ETH, the slippage passes.
  3. The protocol then takes their 5% fee.
  4. The user receives ~0.96 ETH. This is an average price of 0.096 per token. Although the user explicitly specified a minimum vote price of 0.1 ETH.

Impact

User receives less than specified.

Affected Code

https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L553

Mitigation

Calculate the average price using proceedsAfterFees instead of proceedsBeforeFees.