search
Active Boosts

#45554 [SC-Medium] Fee loss during Agent's feeBIPS reduction in `selfMint` function

Submitted on May 16th 2025 at 17:02:47 UTC by @holydevoti0n for Audit Comp | Flare | FAssetsarrow-up-right

  • Report ID: #45554

  • Report Type: Smart Contract

  • Report severity: Medium

  • Target: https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/facets/MintingFacet.sol

  • Impacts:

    • Permanent freezing of unclaimed yield

hashtag
Description

hashtag
Brief/Intro

When an agent reduces their feeBIPS between making an underlying payment and executing selfMint, fees paid on the underlying chain are lost. This creates a gap where fees aren't properly captured in the protocol, resulting in a loss of funds for collateral pool participants.

hashtag
Vulnerability Details

Unlike the executeMinting function which stores the fee amount at the time of collateral reservation, the selfMint function calculates fees at execution time based on the agent's current feeBIPS value: https://github.com/flare-labs-ltd/fassets/blob/acb82a27b15c56ce9dfbb6dbbd76008da6753c26/contracts/assetManager/library/Minting.sol#L92

function selfMint(
    IPayment.Proof calldata _payment,
    address _agentVault,
    uint64 _lots
)
    internal
{
    ...
    uint64 valueAMG = _lots * Globals.getSettings().lotSizeAMG;
    uint256 mintValueUBA = Conversion.convertAmgToUBA(valueAMG);
@>    uint256 poolFeeUBA = calculateCurrentPoolFeeUBA(agent, mintValueUBA);
  ...
    
    if (_lots > 0) {
@>        _performMinting(agent, MintingType.SELF_MINT, 0, msg.sender, valueAMG, receivedAmount, poolFeeUBA);
    }
}

The calculateCurrentPoolFeeUBA function uses the agent's current feeBIPS to calculate the fee:

hashtag
Example

  1. An agent has feeBIPS set to 5% (500 basis points)

  2. The agent makes a payment on the underlying chain that includes this 5% fee

  3. The agent has his feeBIPS decreased to 0% (which requires announcement and execution, taking approximately 1 hour based on the current data from mainnet)

  4. After the feeBIPS reduction is completed, the agent calls selfMint

  5. When selfMint executes, it calculates poolFeeUBA based on the current feeBIPS (0%), resulting in zero fees

  6. The protocol mints 0 fee tokens to the collateral pool:

  1. The fees paid on the underlying chain are effectively lost, never making it into the protocol

Notice this vulnerability does not affect the executeMinting function because it uses a different approach. In executeMinting, the fee is calculated and stored at the time of collateral reservation:

The calculatePoolFeeUBA function for collateral reservations uses the fee stored in the reservation:

hashtag
Impact Details

Loss of funds for the collateral pool participants.

hashtag
Proof of Concept

  1. An agent has feeBIPS set to 5% (500 basis points)

  2. The agent makes a payment on the underlying chain that includes this 5% fee

  3. The agent has his feeBIPS decreased to 0% (which requires announcement and execution, taking approximately 1 hour based on the current data from mainnet)

  4. After the feeBIPS reduction is completed, the agent calls selfMint

  5. When selfMint executes, it calculates poolFeeUBA based on the current feeBIPS (0%), resulting in zero fees

  6. The protocol mints 0 fee tokens to the collateral pool:

  1. The fees paid on the underlying chain are effectively lost, never making it into the protocol

Previous#45533 [SC-Low] Incorrect gas allowance comparison in CoreVault transfer function leads to user fund lossNext#45550 [SC-Medium] [H-01] `illegalPaymentChallenge` is vulnerable to frontrunning by external challengers stealing the reward

Was this helpful?