57829 sc high incorrect fee implementation in paytovenue long payment path causes protocol fees to be permanently locked in escrow
Submitted on Oct 29th 2025 at 05:11:03 UTC by @chupinexx for Audit Comp | Belong
Report ID: #57829
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/platform/BelongCheckIn.sol
Impacts:
Permanent freezing of unclaimed royalties
Protocol insolvency
Unclaimed platform fees lead to protocol's fees lock
Description
Brief / Intro
The payToVenue function's logic for processing LONG token payments contains a critical accounting error. While the code correctly calculates the intended processing fee by subtracting it from a platform subsidy, it fails to execute the subsequent transfer of this fee to the protocol's treasury. Consequently, the fee is never collected; instead, it remains stranded within the venue's LONG balance in the Escrow contract. This would result in a permanent and irrecoverable loss of all processing fee revenue generated from every LONG payment across the entire platform.
Vulnerability Details
The issue is a straightforward but critical omission in the fund transfer logic. The protocol intends to collect a 2.5% fee on LONG payments, as stated in the documentation, but the implementation fails to complete the final step of actually collecting the fee.
According to the project's documentation, a 2.5% fee is supposed to be collected on customer payments made with the LONG token:
https://belongnet.github.io/docs/belong-checkin/whitepaper#venue-fees
Venue Fees LONG Payment Processing: 2.5% (Lower than cards, on customer payments)
The code correctly performs the calculation of this fee. When a customer pays with LONG, the contract calculates a platform subsidy and then subtracts the processing fee from it.
This is the core of the flaw. The code calculates a value for the processing fee, but this value is only used to decrease the amount of the subsidy being pulled from Escrow. The fee amount itself is never transferred out of the Escrow contract to the protocol's treasury (which would typically be handled by a call to _handleRevenue).
Tracing the Locked Funds: A Step-by-Step Example
Result / Problem
Protocol intended: provide 0.5 LONG subsidy and collect 2.5 LONG fee.
Actual behavior: only 0.5 LONG is pulled from the venue's escrowed subsidy balance; the 2.5 LONG processing fee is never transferred and remains in the Escrow contract under the venue's LONG balance.
There is no function in the contract to withdraw these residual fee amounts from the venue's escrow balance, so they are permanently locked and unrecoverable by the protocol.
Impact Details
Direct and Permanent Financial Loss: The protocol will lose 2.5% of the gross value of every LONG token payment. These funds become irrecoverably locked in the Escrow contract. Over time, this results in significant lost revenue.
References
Vulnerable code location: https://github.com/belongnet/checkin-contracts/blob/6b78ead6186c49cfec2787522460ddd516579a6b/contracts/v2/platform/BelongCheckIn.sol#L473-L484
Documentation: https://belongnet.github.io/docs/belong-checkin/whitepaper#venue-fees
Proof of Concept
Add this PoC test to the existing test suite in test/v2/platform/belong-check-in.test.ts. The PoC tracks the platform address balance (obtained from factory.nftFactoryParameters().platformAddress) and demonstrates that processing fees are never received. For every LONG payment, 2.5% of the transaction value is permanently locked in escrow.
Run the PoC:
The PoC shows:
Platform LONG balance remains unchanged (no increase)
Processing fee (2.5% of payment) remains locked in escrow
Platform receives 0% instead of the documented 2.5% processing fee
Was this helpful?