Assessment reportsPublic findings
Back to Zellic site
Assessment reports>DojoSwap>Informational findings>Commission-amount attribute is incorrect
GeneralOverview
Findings
Critical (1)
High (1)
Low (3)
Informational (3)Possible overflow in calculationsCommission-amount attribute is incorrectLaunchpad's migrate sets the contract to the current version and not the target version
DiscussionComposability
Threat ModelCrate: dojoswap_stakingCrate: launchpadCrate: dojoswap_pair
Audit ResultsAssessment Results
Category: Coding Mistakes

Commission-amount attribute is incorrect

Informational Severity
Informational Impact
N/A Likelihood

Description

Fees are deducted from the commission_asset; however, when it is added as an attribute, the fees are not deducted.

// CONTRACT - a user must do token approval
#[allow(clippy::too_many_arguments)]
pub fn swap(
    deps: DepsMut,
    env: Env,
    info: MessageInfo,
    sender: Addr,
    offer_asset: Asset,
    belief_price: Option<Decimal>,
    max_spread: Option<Decimal>,
    to: Option<Addr>,
    deadline: Option<u64>,
) -> Result<Response, ContractError> {
    ...
    let fees = commission_amount
        .checked_div(Uint128::from(2u128))
        .ok()
        .unwrap();
    // Sends half of commissions as fees to fee collector
    if !fees.is_zero() {
        let commission_asset = Asset {
            info: ask_pool.info.clone(),
            amount: fees,
        };
        messages.push(commission_asset.into_msg(Addr::unchecked(FEE_COLLECTOR))?);
    }
    ...
    Ok(Response::new().add_messages(messages).add_attributes(vec![
    ("commission_amount", &commission_amount.to_string()),
}

Impact

The attributes of this transaction will be inaccurate.

Recommendations

Deduct the fees from the commission_asset before adding it as an attribute.

Remediation

Dojoswap Labs, PTE provided the following response:

Acknowledged. Attribute is currently not used anywhere else other than as logs.

Zellic © 2024Back to top ↑