Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Hyperbeat Pay>Discussion>Withdrawal-fee bypass with dust amounts
GeneralOverview
Findings
Critical (1)
Medium (3)
Low (7)
Informational (1)
Indeterminate (2)
DiscussionIncompatible with nonstandard ERC-20 tokensWithdrawal-fee bypass with dust amountsMissing token whitelist validation in ACTION_CUSTOM pathTest suite
DesignComponent: ManagementAccountComponent: ManagementAccountFactoryComponent: ServiceRegistryComponent: TokenWhitelistRegistryComponent: MorphoService
Audit ResultsAssessment Results

Withdrawal-fee bypass with dust amounts

The withdrawal-fee calculation lacks a minimum withdrawal-amount check. When request.amount * withdrawalFee < 10_000, the fee calculation rounds down to zero, allowing fee-free withdrawals:

if (withdrawalFee > 0 && feeRecipient != address(0)) {
!   feeAmount = (uint256(request.amount) * withdrawalFee) / 10_000;
    amountAfterFee = request.amount - feeAmount;
    [...]
}

For standard tokens with six or more decimals (e.g., USDC with six decimals), this requires extremely small withdrawal amounts to trigger the bypass. For example, with a 1% fee (100 basis points), amounts below 100 token units (0.0001 USDC) would incur no fee. The real-world impact is minimal for such tokens.

However, if the protocol whitelists tokens with lower decimal precision in the future, the bypass becomes more significant. A token with two decimals and a 1% fee would allow fee-free withdrawals for any amount below one full token unit.

We recommend enforcing a minimum withdrawal amount in requestWithdrawal if the protocol plans to support tokens with lower decimal precision. Alternatively, document that only tokens with sufficient decimal precision should be whitelisted to make this edge case economically insignificant.

Zellic © 2025Back to top ↑