Skip to content

Latest commit

 

History

History
41 lines (30 loc) · 1.32 KB

007.md

File metadata and controls

41 lines (30 loc) · 1.32 KB

Proud Rusty Mantis

Medium

Users are still charged a fee even if the fee recipient is address(0)

Vulnerability Detail

Upon swapping between nuAssets, we have the following code:

    function swapExactInput(
        ...
    ) ... {
         ...
        (uint256 assetAmount, uint amountInFee) = getNbOfNuAssetFromNuAsset(_nuAssetFrom, _nuAssetTo, _amountToSwap);

        ...
        uint amountToBurn = _amountToSwap;
        // fees are 100% sent
        if (fee_address != address(0)) {
            SafeERC20.safeTransferFrom(IERC20(_nuAssetFrom), msg.sender, fee_address, amountInFee);
            amountToBurn -= amountInFee;
        }

        // burn asset from
        burnNuAssetFrom(nuAssetFrom, msg.sender, amountToBurn, 0);

       ...
    }

It calculates the amountToBurn from the user in exchange. Then, we send the fees to the fee recipient and deduct them from the amountToBurn. However, if the fee_address is address(0) indicating no fees, then this will result in amountToBurn not decreasing, causing the user to still get all of his tokens burned despite there being no fees.

Attack Path

No response

Impact

Users are still charged a fee even if recipient is address(0) causing loss of funds for them

Mitigation

Decrease amountToBurn even if the fee recipient is address(0)