You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From the comment, the intended logic is that the higher of the two sell fees—either the regular sell fee (lastSellFee) or the sell fee calculated under the critical CF (Collateral Factor) (sell_fee_criticalCF)—should be used as the final fee rate.
The rationale is that when the system is in a state of “extreme danger” or “near insolvency,” the sell fee should increase to discourage further selling, deter malicious behavior, or subsidize system safety.
However, the actual implementation does the opposite: if sell_fee_criticalCF is less than sell_fee_result, the final fee is set to the lower sell_fee_criticalCF. This completely contradicts the intention stated in the comment, as it effectively selects the lower fee instead of the higher one.
Impacts of the Issue
Conflict Between Functionality and Comments
• The comment specifies, “Whichever sell fee is greater should be used…”, but the code selects the smaller fee instead.
• This significantly disrupts the intended logic for sell fees: in the most dangerous scenarios, the sell fee is reduced rather than increased, undermining the safety design.
Potential for Economic Risk
• Under cf_critical conditions (a highly dangerous state), the calculated sell_fee_criticalCF is supposed to be higher to protect the system.
• However, the current implementation applies a min() operation, potentially lowering the sell fee to a level that fails to deter heavy sell pressure or to collect sufficient fees to subsidize system deficits.
Exploitation by Attackers
• When the system is in a state of under-collateralization or extreme danger, the intention is to discourage selling and stabilize the market by imposing additional sell fees.
• This bug, however, allows the fee to drop to the lower value at the most critical moment, giving attackers a window of opportunity to exploit the system.
Root Cause
No response
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
No response
PoC
No response
Mitigation
Based on the comment “Whichever sell fee is greater should be used”, the fix is straightforward: modify the condition to select the higher fee of the two
The text was updated successfully, but these errors were encountered:
Bent Concrete Crocodile
High
{actor} will {impact} {affected party}
Summary
https://github.com/sherlock-audit/2024-12-numa-audit/blob/main/Numa/contracts/NumaProtocol/VaultManager.sol#L401
From the comment, the intended logic is that the higher of the two sell fees—either the regular sell fee (lastSellFee) or the sell fee calculated under the critical CF (Collateral Factor) (sell_fee_criticalCF)—should be used as the final fee rate.
The rationale is that when the system is in a state of “extreme danger” or “near insolvency,” the sell fee should increase to discourage further selling, deter malicious behavior, or subsidize system safety.
However, the actual implementation does the opposite: if sell_fee_criticalCF is less than sell_fee_result, the final fee is set to the lower sell_fee_criticalCF. This completely contradicts the intention stated in the comment, as it effectively selects the lower fee instead of the higher one.
Impacts of the Issue
Conflict Between Functionality and Comments
• The comment specifies, “Whichever sell fee is greater should be used…”, but the code selects the smaller fee instead.
• This significantly disrupts the intended logic for sell fees: in the most dangerous scenarios, the sell fee is reduced rather than increased, undermining the safety design.
Potential for Economic Risk
• Under cf_critical conditions (a highly dangerous state), the calculated sell_fee_criticalCF is supposed to be higher to protect the system.
• However, the current implementation applies a min() operation, potentially lowering the sell fee to a level that fails to deter heavy sell pressure or to collect sufficient fees to subsidize system deficits.
Exploitation by Attackers
• When the system is in a state of under-collateralization or extreme danger, the intention is to discourage selling and stabilize the market by imposing additional sell fees.
• This bug, however, allows the fee to drop to the lower value at the most critical moment, giving attackers a window of opportunity to exploit the system.
Root Cause
No response
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
No response
PoC
No response
Mitigation
Based on the comment “Whichever sell fee is greater should be used”, the fix is straightforward: modify the condition to select the higher fee of the two
The text was updated successfully, but these errors were encountered: