roguereddwarf - Carousel: Deposit fee can be bypassed

[sherlock-admin]

roguereddwarf

high

Carousel: Deposit fee can be bypassed

Summary

When deposits are made to the Carousel a deposit fee is applied.

The deposit fee is a fee that linearly increases over the deposit time.
The moment the epoch is created, the deposit fee is at 0% of its value.
When the begin of the epoch is reached the deposit fee is at 100% of its value.

The purpose of the deposit fee is to tax the information advantage that later depositors have.
Later depositors have more knowledge of the funds in the Vaults and can therefore make more informed decisions.

Another purpose of the deposit fee is to generate income for the protocol since the deposit fee is sent to the treasury.

The deposit fee is correctly applied when a user directly makes a deposit. However when a user creates a deposit in the deposit queue no deposit fee is applied.
The issue is that the user can within the same transaction mint a single deposit from the queue (which is his deposit as the queue is a LIFO queue) which results in the same effect as doing the direct deposit.

However the put into deposit queue -> mint from deposit queue path does not apply the deposit fee.

Vulnerability Detail

Let's first look what happens when doing a deposit for a epoch directly, i.e. without the queue.
In the Carousel._deposit function the if block applies since we are performing a direct deposit.
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L476-L493

As you can see the deposit fee is subtracted.

However when we deposit into the queue which we can do by specifying _id=0, the else block is entered.
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L494-L499

It pushes the deposit into the queue.

The Carousel.mintDepositInQueue function can then be used to mint a single deposit (which is the deposit that we created).
And as you can see it directly calls _mintShares without subtracting a deposit fee.
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L310-L355

(Only the relayerFee is subtracted but it is much lower than the deposit fee and it is sent back to us for performing the function call)

Impact

The information advantage that later depositors have is not correctly taxed (the fee can be bypassed completely) and the protocol loses the fees that it should earn from deposits.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L470-L501

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L310-L355

Tool used

Manual Review

Recommendation

A potential solution can be to apply the deposit fee to deposits from the queue as well.
Deposits from the queue are expected to be executed as soon as possible which means the deposit fees are also as low as possible which correctly reflects that a user that deposits into the queue has no knowledge about upcoming epochs.

Duplicate of #75