Fee manager upgrades allow factory owner to change fees and prevent option exercise
Description
The WasabiPoolFactory contract allows its owner to upgrade the feeManager. This fee manager is retrieved by both ERC20 and native ETH pools in option creation and execution. For instance, in ERC20WasabiPool, we have
function validateAndWithdrawPayment(uint256 _premium, string memory _message) internal override {
require(token.allowance(_msgSender(), address(this)) >= _premium && _premium > 0, _message);
IWasabiFeeManager feeManager = IWasabiFeeManager(factory.getFeeManager());
(address feeReceiver, uint256 feeAmount) = feeManager.getFeeData(address(this), _premium);
token.transferFrom(_msgSender(), address(this), _premium);
if (feeAmount > 0) {
token.transferFrom(_msgSender(), feeReceiver, feeAmount);
}
}Impact
The current implementation of the fee manager upgrade allows the factory owner to change the fee even after options have been minted. This lack of consistency and transparency can result in significant losses for option holders. Moreover, if the fee manager is set to a contract that reverts on feeManager.getFeeData, the owner can entirely prevent options from being exercised.
Recommendations
The ability for the owner to change fees and potentially prevent option exercise creates an unfair situation for existing option holders. To address this, a possible solution is to lock in the fee parameters at the time of option minting and store them in the OptionData of each option. This would eliminate the need for external calls to feeManager when exercising options, thereby ensuring that holders are not impacted by any future changes made by the owner.
Remediation
This issue has been acknowledged by Wasabi, and a fix was implemented in commit f4a1b00c↗.