Freezing of users' funds due to excessive fee settings
Description
In AllocatorVaultV1, fees are set through the configureVault
function. Currently, the MAX_BPS
is configured as MAX_BPS = 10_000
, which represents 100%.
function configureVault(AllocatorVaultConfig memory _config) public onlyRole(DEFAULT_ADMIN_ROLE) {
require(_config.depositFee <= MAX_BPS, "Deposit fee too high");
require(_config.performanceFee <= MAX_BPS, "Performance fee too high");
require(_config.managementFee <= MAX_BPS, "Management fee too high");
require(_config.feeRecipient != address(0), "Invalid fee recipient");
config = _config;
}
If fees are set excessively, an attacker can invoke the harvest
function to significantly increase the totalSupply()
value. Consequently, users may find themselves unable to proceed with withdrawals, as the exchange rate of assets becomes prohibitively high.
Impact
If the fee value is set excessively high, leading to a substantial increase in the totalSupply()
value, users may risk having their funds permanently frozen.
Recommendations
To mitigate this risk, consider implementing a more reasonable upper limit for fees, such as capping them at a lower percentage (e.g., 5%). Additionally, requiring multi-signature approval for fee changes can provide an extra layer of security and prevent accidental or malicious fee misconfigurations.
Remediation
This issue has been acknowledged by StakeKit, and a fix was implemented in commit 30f915fc↗.