# #36136 \[SC-Insight] Fee calculation error in withdraw function of collateralVault contract **Submitted on Oct 21st 2024 at 14:58:52 UTC by @ProfitableFrog6412 for** [**Audit Comp | Anvil**](https://immunefi.com/audit-competition/audit-comp-anvil) * **Report ID:** #36136 * **Report Type:** Smart Contract * **Report severity:** Insight * **Target:** * **Impacts:** * Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) ## Description ## Brief/Intro A fee calculation error has been identified in the \`withdraw\` function of the CollateralVault contract. The problem lies in how the withdrawal fee is computed, resulting in users being charged an excessive fee. ## Vulnerability Details The vulnerability stems from the incorrect calculation of fees in the \`withdraw\` function. The current implementation calculates the fee using: \`\`\`solidity uint256 fee = Pricing.percentageOf(\_amount, uint256(withdrawalFeeBasisPoints)); \`\`\` This approach applies the withdrawal fee to the entire amount, rather than correctly adjusting it using the configured \`withdrawalFeeBasisPoints\`. Consequently, users end up being charged a larger fee than intended. The correct implementation should utilize: \`\`\`solidity uint256 withdrawAmount = Pricing.amountBeforeFee(\_amount, withdrawalFeeBasisPoints); // real withdraw amount uint256 fee = \_amount - withdrawAmount ; // real fee amount \`\`\` This way, the fee aligns with the configured basis points, ensuring users pay an accurate withdrawal fee. ## Impact Details If exploited or left unchecked, this bug leads to users being charged a higher fee than expected on each withdrawal. Over time, the cumulative overcharging could result in significant financial losses for the contract’s users, especially for high-value withdrawals. Furthermore, this discrepancy could erode user trust and damage the platform’s reputation. ## References ## Proof of Concept ## Proof of Concept \`\`\`solidity // SPDX-License-Identifier: MIT pragma solidity 0.8.26; import "./Pricing.sol"; contract FeeTest { uint16 public withdrawalFeeBasisPoints = 100; ``` function oldWithdrawAmountTest(uint256 amount) public view returns (uint256) { return amount - Pricing.percentageOf(amount, uint256(withdrawalFeeBasisPoints)); } function newWithdrawAmountTest(uint256 amount) public view returns (uint256) { return Pricing.amountBeforeFee(amount, withdrawalFeeBasisPoints); } function oldFeeTest() public view returns (uint256 expectedFee, uint256 incorrectRealFee) { uint256 amount = 100e18; uint256 withdrawAmount = oldWithdrawAmountTest(amount); expectedFee = Pricing.percentageOf( withdrawAmount, uint256(withdrawalFeeBasisPoints) ); incorrectRealFee = amount - withdrawAmount; } function Test() public view returns (uint256 oldAmount, uint256 newAmount) { uint256 amount = 100e18; return (oldWithdrawAmountTest(amount), newWithdrawAmountTest(amount)); } ``` } \`\`\` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/anvil/36136-sc-insight-fee-calculation-error-in-withdraw-function-of-collateralvault-contract.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.