minhtrng - Deposit fees can by bypassed

[sherlock-admin]

minhtrng

high

Deposit fees can by bypassed

Summary

The deposit fees are not accounted for when using the deposit queue mechanism.

Vulnerability Detail

In Carousel._deposit the full input amount is added into the queue:

//WARDEN: fees handled if not put into queue:
if (depositFee > 0) {
    (uint256 maxX, , uint256 minX) = getEpochConfig(_id);
    // deposit fee is calcualted linearly between time of epoch creation and epoch starting (deposit window)
    // this is because late depositors have an informational advantage
    uint256 fee = _calculateFeePercent(int256(minX), int256(maxX));
    // min minRequiredDeposit modifier ensures that _assets has high enough value to not devide by 0
    // 0.5% = multiply by 10000 then divide by 50
    uint256 feeAmount = _assets.mulDivDown(fee, 10000);
    assetsToDeposit = _assets - feeAmount;
    _asset().safeTransfer(treasury, feeAmount);
}
...
//WARDEN: when put into queue, no fee deduction happens
depositQueue.push(
    QueueItem({assets: _assets, receiver: _receiver, epochId: _id})
);

In Carousel.mintDepositInQueue only relayer fees are subtracted when minting shares:

_mintShares(
    queue[i].receiver,
    _epochId,
    queue[i].assets - relayerFee
);
...
asset.safeTransfer(msg.sender, _operations * relayerFee);

This way a user could bypass deposit fees by putting them into the queue and minting the deposit right after, so that relayer fees also end up back with them.

Impact

Deposit fees can be bypassed, causing loss of revenue for the protocol

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/ae7f210d8fbf21b9abf09ef30edfa548f7ae1aef/Earthquake/src/v2/Carousel/Carousel.sol#L494-L497

Tool used

Manual Review

Recommendation

Handle deposit fees before pushing them into queue. Make sure to adjust minRequiredDeposit.

Duplicate of #75