search
Active Boosts

#46847 [SC-Low] executor fee is not paid or burned in `rejectInvalidRedemption`

Submitted on Jun 5th 2025 at 08:47:16 UTC by @pseudoArtist for Audit Comp | Flare | FAssetsarrow-up-right

  • Report ID: #46847

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/RedemptionRequests.sol

  • Impacts:

    • Permanent freezing of funds

hashtag
Description

hashtag
Brief/Intro

When calling rejectInvalidRedemption the function doens't handle the executor fee correctly and doesn't call payOrBurnExecutorFee which will cause the fee to be stuck in the contract.

hashtag
Vulnerability Details

The function payOrBurnExecutorFee is called in function rejectRedemptionRequest which transfers the executor fee to the executor if the caller is the executor and burns the fee if it is the agent.

    function payOrBurnExecutorFee(
        Redemption.Request storage _request
    )
        internal
    {
        uint256 executorFeeNatWei = _request.executorFeeNatGWei * Conversion.GWEI;
        if (executorFeeNatWei > 0) {
            _request.executorFeeNatGWei = 0;
            if (msg.sender == _request.executor) {
                Transfers.transferNAT(_request.executor, executorFeeNatWei);
            } else {
                Agents.burnDirectNAT(executorFeeNatWei);
            }
        }
    }

However the same call is not done in the function rejectInvalidRedemption , and later the requestID is deleted.

hashtag
Impact Details

This causes 2 problems

  1. Executor fee is not burnt if the caller is agent and executors are not incentivised if they are meant to call the function.

  2. The executor fee will will remain stuck in the contract as their is no function to withdraw the native tokens recieved as fee.

hashtag
References

hashtag
Proof of Concept

hashtag
Proof of Concept

Step 1: RedemptionRequestsFacet.redeem() is called with some executor fee.

Step 2: The function calls RedemptionRequests.redeem() and creates a new redemption request.

Step 3: If the address is invalid or not normalised agent calls rejectInvalidRedemption() and deletes redemption request without properly calling payOrBurnExecutorFee.

Step 4: The fee will be stuck in the contract with no way to get it.

Previous#46836 [SC-Low] buybackAgentCollateral will revert due to overflowNext#46848 [SC-Insight] Minters can grief agents by deliberately fragmenting the agent's redemption ticket queue with minimal size tickets, preventing or delaying large transfers to core vault

Was this helpful?