Description

In AllocatorVaultV1, fees are set through the configureVault function. Currently, the MAX_BPS is configured as MAX_BPS = 10_000, which represents 100%.

function configureVault(AllocatorVaultConfig memory _config) public onlyRole(DEFAULT_ADMIN_ROLE) {
        require(_config.depositFee <= MAX_BPS, "Deposit fee too high");
        require(_config.performanceFee <= MAX_BPS, "Performance fee too high");
        require(_config.managementFee <= MAX_BPS, "Management fee too high");
        require(_config.feeRecipient != address(0), "Invalid fee recipient");
        config = _config;
    }

If fees are set excessively, an attacker can invoke the harvest function to significantly increase the totalSupply() value. Consequently, users may find themselves unable to proceed with withdrawals, as the exchange rate of assets becomes prohibitively high.

Impact

If the fee value is set excessively high, leading to a substantial increase in the totalSupply() value, users may risk having their funds permanently frozen.

Recommendations

To mitigate this risk, consider implementing a more reasonable upper limit for fees, such as capping them at a lower percentage (e.g., 5%). Additionally, requiring multi-signature approval for fee changes can provide an extra layer of security and prevent accidental or malicious fee misconfigurations.

Remediation

This issue has been acknowledged by StakeKit, and a fix was implemented in commit 30f915fc↗.