Skip to content
This repository has been archived by the owner on Feb 18, 2024. It is now read-only.

Emmanuel - Protocol fee from Market.sol is locked #52

Open
sherlock-admin opened this issue Aug 15, 2023 · 10 comments
Open

Emmanuel - Protocol fee from Market.sol is locked #52

sherlock-admin opened this issue Aug 15, 2023 · 10 comments
Labels
Escalation Resolved This issue's escalations have been approved/rejected Has Duplicates A valid issue with 1+ other issues describing the same vulnerability High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Aug 15, 2023
edited by sherlock-admin2
Loading

Emmanuel

high

Protocol fee from Market.sol is locked

Summary

The MarketFactory#fund calls the specified market's Market#claimFee function.
This will send the protocolFee to the MarketFactory contract.
MarketFactory contract does not max approve any address to spend its tokens, and there is no function that can be used to get the funds out of the contract, so the funds are permanently locked in MarketFactory.

Vulnerability Detail

Here is MarketFactory#fund function:

  function fund(IMarket market) external {
        if (!instances(IInstance(address(market)))) revert FactoryNotInstanceError();
@>      market.claimFee();
    }

This is Market#claimFee function:

    function claimFee() external {
        Global memory newGlobal = _global.read();

        if (_claimFee(address(factory()), newGlobal.protocolFee)) newGlobal.protocolFee = UFixed6Lib.ZERO;
        ...
    }

This is the internal _claimFee function:

    function _claimFee(address receiver, UFixed6 fee) private returns (bool) {
        if (msg.sender != receiver) return false;

        token.push(receiver, UFixed18Lib.from(fee));
        emit FeeClaimed(receiver, fee);
        return true;
    }

As we can see, when MarketFactory#fund is called, Market#claimFee gets called which will send the protocolFee to msg.sender(MarketFacttory).
When you check through the MarketFactory contract, there is no place where another address(such as protocol multisig, treasury or an EOA) is approved to spend MarketFactory's funds, and also, there is no function in the contract that can be used to transfer MarketFactory's funds.
This causes locking of the protocol fees.

Impact

Protocol fees cannot be withdrawn

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial/contracts/MarketFactory.sol#L89

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial/contracts/Market.sol#L133

https://github.com/sherlock-audit/2023-07-perennial/blob/main/perennial-v2/packages/perennial/contracts/Market.sol#L145-L151

Tool used

Manual Review

Recommendation

Consider adding a withdraw function that protocol can use to get the protocolFee out of the contract.
You can have the withdraw function transfer the MarketFactory balance to the treasury or something.
@github-actions github-actions bot added High A valid High severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Aug 18, 2023
This was referenced Aug 18, 2023
Closed
Closed
Closed
@sherlock-admin
Copy link
Contributor Author

2 comment(s) were left on this issue during the judging contest.

141345 commented:

h

n33k commented:

medium

@arjun-io arjun-io added Sponsor Confirmed The sponsor acknowledged this issue is valid Disagree With Severity The sponsor disputed the severity of this issue Will Fix The sponsor confirmed this issue will be fixed and removed Will Fix The sponsor confirmed this issue will be fixed labels Aug 18, 2023
@arjun-io
Copy link

We originally wanted to keep the funds in the Factory (for a future upgrade) but it might make sense to instead allow the Factory Owner (Timelock) to claim these funds instead

@141345 141345 added Medium A valid Medium severity issue and removed High A valid High severity issue labels Aug 23, 2023
@hrishibhat hrishibhat removed the Disagree With Severity The sponsor disputed the severity of this issue label Aug 23, 2023
@sherlock-admin2 sherlock-admin2 changed the title Fresh Aegean Sparrow - Protocol fee from Market.sol is locked Emmanuel - Protocol fee from Market.sol is locked Aug 23, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Aug 23, 2023
@Emedudu
Copy link

Emedudu commented Aug 28, 2023

Escalate

I believe this is of HIGH severity because funds are permanently locked

@sherlock-admin2
Copy link
Contributor

Escalate

I believe this is of HIGH severity because funds are permanently locked

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin sherlock-admin added the Escalated This issue contains a pending escalation label Aug 28, 2023
@arjun-io
Copy link

Fixed equilibria-xyz/perennial-v2#79

re: Escalation - since this contract can be upgraded the funds are not permanently locked

@Emedudu
Copy link

Emedudu commented Aug 28, 2023

Fixed equilibria-xyz/perennial-v2#79

Can't access the repo to review the fix. It's probably a private repo.

since this contract can be upgraded the funds are not permanently locked

While it's true that the contract can potentially be upgraded to address this issue, it's essential to acknowledge that the current code we audited does, in fact, contain a high severity vulnerability. Otherwise, implying that all upgradeable contracts are free of bugs simply because they can be upgraded to resolve them would be misleading.

@arjun-io
Copy link

Otherwise, implying that all upgradeable contracts are free of bugs simply because they can be upgraded to resolve them would be misleading.

The distinction here is that "funds stuck" are fixable via upgrades, whereas attacks which immediately drain funds or those which cause accounting errors are not after they are executed.

@hrishibhat hrishibhat added High A valid High severity issue and removed Medium A valid Medium severity issue labels Sep 8, 2023
@hrishibhat
Copy link

Result:
High
Has duplicates
Although Sponsor raises a valid point, perhaps Sherlock needs to have a rule with respect to smart contract upgrade-related issues.
Historically smart contract upgrades have not weighed on the issue severity decisions but will be considered in future rule updates, however, this issue will be considered as a valid high issue based on historical decisions on similar issues.

@sherlock-admin2 sherlock-admin2 removed the Escalated This issue contains a pending escalation label Sep 8, 2023
@sherlock-admin sherlock-admin added the Escalation Resolved This issue's escalations have been approved/rejected label Sep 8, 2023
@sherlock-admin2
Copy link
Contributor

Escalations have been resolved successfully!

Escalation status:

@jacksanford1
Copy link

From WatchPug:

Fixed

@sherlock-admin2 sherlock-admin2 mentioned this issue Sep 23, 2023
Closed
@sherlock-admin sherlock-admin mentioned this issue Sep 23, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Escalation Resolved This issue's escalations have been approved/rejected Has Duplicates A valid issue with 1+ other issues describing the same vulnerability High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@arjun-io @hrishibhat @jacksanford1 @141345 @Emedudu @sherlock-admin @sherlock-admin2