Description

When a trade is being closed, the function _unregisterTrade is called to unregister the trade. The function calls applyReferralClose to calculate the referrerRebate and feeAfterRebate. The issue here is that feeAfterRebate includes the referrer rebate too.

The function applyReferralClose is responsible to calculate feeAfterRebate and referrerRebate.

function applyReferralClose(
    address _trader,
    uint _fees,
    uint _leveragedPosition
) public override onlyTrading returns (uint, uint) {
    (uint traderFeePostDiscount, address referrer, uint referrerRebate) =
        referral.traderReferralDiscount(_trader, _fees);

    if (referrer != address(0)) {
        rebates[referrer] += referrerRebate;
        emit TradeReferred(
            _trader, 
            referrer, 
            _leveragedPosition, 
            traderFeePostDiscount, 
            _fees - traderFeePostDiscount,
            referrerRebate
        );
        return (traderFeePostDiscount, referrerRebate);
    }
    return (_fees, referrerRebate);
}

Here the value traderFeePostDiscount includes the referrerRebate, which should be subtracted from it before it is returned.

Impact

The feeAfterRebate is used to allocate rewards using the vault manager. If the referrerRebate is not subtracted from it, more rewards would be allocated as compared to what is available.

Recommendations

Subtract referrerRebate from traderFeePostDiscount before returning the value in applyReferralClose.

Remediation

This issue has been acknowledged by Avantis Labs, Inc., and a fix was implemented in commit bd5cb1f1↗.