Collected fees are never transferred out of Pool contract #60
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
M-05
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2024-04-gondi/blob/b9863d73c08fcdd2337dc80a8b5e0917e18b036c/src/lib/pools/Pool.sol#L444
Vulnerability details
Impact
Lenders in the Gondi protocol could be EOA or Gondi Pool. The Gondi Pool, an ERC4626, allows anyone to deposit funds and earn yield from lending on Gondi. When a loan is repaid or liquidated, the pool deducts a fee from the received amount before adding the rest to the pool balance. As shown in the
loanRepayment()
function, the fees are calculated by callingprocessFees()
and then added togetCollectedFees
. After that, the accounting function_loanTermination()
is called with the amount beingreceived - fees
.However, this fee is credited to
getCollectedFees
but never transferred out of the pool. As a result, these funds remain locked in the contract indefinitely.Proof of Concept
The
processFees()
function only calculates the fee but doesn't transfer anything.Then after
getCollectedFees
is credited forfees
, we can see thisgetCollectedFees
is never transferred out of the pool.Tools Used
Manual Review
Recommended Mitigation Steps
Add a function to collect the credited fees
getCollectedFees
from the pool in the FeeManager contract.Assessed type
Other
The text was updated successfully, but these errors were encountered: