Inspex - The deposit fee can be bypassed by using mintDepositInQueue() function.

[sherlock-admin]

Inspex

high

The deposit fee can be bypassed by using mintDepositInQueue() function.

Summary

Any user can avoid paying the deposit fee for the Carousel contract's treasury by adding themselves to the deposit queue and then calling the mintDepositInQueue() function to deposit and collect the relayer fee.

Vulnerability Detail

In the Carousel contract, the users are allowed to add themselves to the deposit queue by calling the deposit function with the _id parameter set to zero.

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L470-L501

After that, the user must call the mintDepositInQueue() function to dequeue themselves from the top of the queue and deposit themselves into the pool; in this process, the relayer fee will be calculated and sent to the msg.sender as shown in line 354.

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L310-L355

As a result, the user can deposit their asset into the pool without having to pay the deposit fee.

In addition, the relayer should execute from the beginning of the queue to perform as the role defines.

Impact

The pool's treasury will not receive deposit fees as expected.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L306-L355

Tool used

Manual Review

Recommendation

We recommend collecting the deposit fee by deducting it from the relayer fee, e.g., 10% of the relayer fee.

uint256 _fee = _operations * relayerFee;
uint256 _depositFee = _fee * 10 / 100; /// e.g., 10% of relayer fee
uint256 _relayerFee = _fee - _depositFee;
asset.safeTransfer(msg.sender, _relayerFee);

For the deposit queue execution order, we recommended changing to the FIFO(First in, first out) queue and keep the operated index in the state variable.

error InvalidQueueLength();
error InvalidOperation();
uint256 public depositQueueOperatedIndex;
/** @notice mints deposit in rollover queue
    @param _epochId epoch id
    @param _operations  uint256 of how many operations to execute;
 */
function mintDepositInQueue(uint256 _epochId, uint256 _operations)
    external
    epochIdExists(_epochId)
    epochHasNotStarted(_epochId)
    nonReentrant
{
    // make sure there is already a new epoch set
    // epoch has not started
    QueueItem[] memory queue = depositQueue;
    uint256 length = depositQueue.length;

    // dont allow minting if epochId is 0
    if (_epochId == 0) revert InvalidEpochId();

    if (length == 0) revert OverflowQueue();
    if (depositQueueOperatedIndex == length) revert InvalidQueueLength();

    if (_operations == 0) revert InvalidOperation();
    uint256 i = _operations;
    uint256 _currentIndex;
    while(i > 0) {
        _currentIndex = depositQueueOperatedIndex;
        _mintShares(
            queue[_currentIndex].receiver,
            _epochId,
            queue[_currentIndex].assets - relayerFee
        );
        emit Deposit(
            msg.sender,
            queue[_currentIndex].receiver,
            _epochId,
            queue[_currentIndex].assets - relayerFee
        );
        unchecked {
            i--;
        }
        depositQueueOperatedIndex++;
        if (depositQueueOperatedIndex == length) break;
    }
    _operations -= i;
    emit RelayerMinted(_epochId, _operations);

    uint256 _fee = _operations * relayerFee;
    uint256 _depositFee = _fee * 10 / 100; /// e.g., 10% of relayer fee
    uint256 _relayerFee = _fee - _depositFee;
    asset.safeTransfer(treasury, _depositFee);
    asset.safeTransfer(msg.sender, _relayerFee);
}

Duplicate of #75