021.md

Obedient Lava Monkey

Medium

Incorrect Fee Handling for executeBackUnbacked When amount > reserve.unbacked

Summary

In BridgeLogic.sol, the function calculates backingAmount as the lesser of amount or reserve.unbacked, but it does not adjust the fee proportionately to match the backingAmount, which will cause overpayment of fees for backers as the protocol charges fees on the full amount instead of the actual backingAmount.

---

Root Cause

In BridgeLogic.sol, the line:

uint256 backingAmount = (amount < reserve.unbacked) ? amount : reserve.unbacked;

correctly limits backingAmount to reserve.unbacked. However, the fee remains based on the original amount:

uint256 added = backingAmount + fee;

This overcharges fees when amount > reserve.unbacked.

---

Internal Pre-conditions

1. User calls executeBackUnbacked with amount greater than reserve.unbacked.
2. The reserve has an unbacked amount less than the requested amount.

---

External Pre-conditions

1. The caller has approved sufficient tokens to cover amount + fee to the aToken contract.

---

Attack Path

1. A backer calls executeBackUnbacked with an amount significantly larger than reserve.unbacked (e.g., amount = 1000, reserve.unbacked = 100).
2. The function limits the backingAmount to 100, but the fee is still calculated for the full amount = 1000.
3. The backer is forced to pay an excessive fee disproportionate to the actual backingAmount.

---

Impact

The backer suffers excessive fee payments, causing inefficiencies and potentially deterring liquidity provision. For example:

• If the protocolFeeBps is 100 (1%) and fee = 10 for amount = 1000, the backer pays fee = 10 instead of fee = 1 for backingAmount = 100.

---

Mitigation

Adjust the fee proportionally to match the backingAmount:

if (amount > reserve.unbacked) {
    fee = fee.percentMul(reserve.unbacked).percentDiv(amount);
}