Category: Business Logic
The governance may fail to set the fee
Low Severity
Low Impact
Medium Likelihood
Description
Addresses with the GOV_ROLE
are able to set the fee. In the function setFee
, if the return value of the function getFeeAmount
is greater than zero, it will call the function claimFees
to collect fees.
function setFee(uint256 _fee) external onlyRole(poolFactory.GOV_ROLE()) {
// [...]
// Force a fee claim to prevent governance from setting a higher fee
// and collecting increased fees on old deposits
if (getFeeAmount() > 0) {
claimFees();
}
// [...]
}
However, only the fee beneficiary is allowed to call the function claimFees
.
function claimFees() public nonReentrant {
require(msg.sender == feeBeneficiary, NotBeneficiary());
// [...]
}
Impact
Since the address with the GOV_ROLE
and the fee beneficiary might be different addresses, the governance may fail to set the fee due to the NotBeneficiary
error.
Recommendations
Consider recording the accumulated fees in a state variable and updating lastFeeClaimTime
. The fee beneficiary can claim this fee later.
Remediation
This issue has been acknowledged by Plaza Finance, and a fix was implemented in commit 899b4185↗.