Skip to main content

2024-12-03 Fee Accounting Disclosure

Inaccurate accounting of Fee Shares in the Singleton contract.

Summary

Pool creators on Vesu are able to specify a fee that is taken on the interest generated in the specific pool.

The accounting of this fee is incorrect resulting in a slightly smaller fee income by the pool curator.

This bug does not pose a risk to users apart from slightly smaller fee income for pool curators.

Background

Vesu runs a bug bounty program on Immunefi offering a total bounty of $100,000.

The vulnerability disclosed here has been reported by a whitehat through our Immunefi program recently.

Vesu has acknowledged the finding with a "High" classification due to the potential "loss" of expected fee income for pool curators. Vesu has compensated the whitehat with a payout according to the terms of the bug bounty program.

Details of vulnerability

When creating new lending pools, pool curators specify a fee parameter, fee_rate, that expresses a percentage fee taken on the interest generated by the pool.

This parameter is specified for each market in a Vesu pool separately.

The nominal fee is computed and accrued for the pool curator with each interaction with the market in the Singleton contract here.

The calculation performed to compute the nominal fee (and respective collateral shares) is:

fee_shares = (interest * fee_rate * total_shares) / (total_assets + interest)

This calculation is slightly wrong. Instead it should be

fee_shares = (interest * fee_rate * total_shares) / (total_assets + (1 - fee_rate) * interest)

Since the decimal fee_rate is a number between 0 and 1, the current calculation thus results in a slightly smaller nominal fee earned by the pool curator than expected with the parameter.

For reference, the estimated difference of fee income for a market with 10% interest rate and a 20% fee_rate is only about 0.003%.

Details of fix

A fix to the fee_shares calculation has been implemented in the Singleton contract. Since the Singleton contract is immutable, this fix will be applied with a future migration of the protocol. Given the very limited impact on the fee earned, pool creators will only be minimally affected.

Timeline of events

2024-12-03: Disclosure made by the Vesu team