Issue Summary
Description
When matching an order using swapping (either by matching two users or matching a user versus a market maker), a trade fee is charged. This fee is taken from the collateral amount traded.
We show that, for the same desired outcome, there are two trade paths leading to them, where fee structure is asymmetric (one of the paths charges less fee).
The fee charged is different depending on the trade direction:
- Selling 1000 YES for $300 earns the treasury $3
- Buying 1000 NO for $700 earns the treasury $7
However, this by itself is not necessarily an issue, it could be a ...
But PUSH0 found out that in this specific codebase, it's possible to achieve the outcome of selling YES tokens by paying a smaller fee and abuse this.
Initial State
Let's say the price becomes 1 YES = 0.92 USDC. Assuming we are already holding 1000 YES, and we want to exit position (sell it). Let trade fee = 2% and claim fee = 1%:
Path 1
Selling 1000 YES gives a raw proceedings of 920 USDC. 901.6 goes to the user, and 18.4 USDC go to the treasury as fee.
Path 2
Buying 1000 NO gives a raw proceedings of 80 USDC to the market maker. An extra 1.6327 USDC go to the treasury as fee, and 80 USDC go to the maker. We spent 81.6327 USDC, but we now have 1000 YES and 1000 NO.
1000 YES and 1000 NO always redeems to 1000 USDC of collateral. Deduct a 1% claim fee and that makes 990 USDC of collateral claimed. Minus the 81.6327 spent on the order, and we have a net total of 908.3673 USDC, more than the 901.6 in path 1.
Conclusion
These type of issues are generally unique findings or have low dupes because they are super hard to come up with, as they require an actual business understanding of the codebase. In this case, the redemption path available enabled the issue to be weaponized into selling 1000 YES tokens, a certain desired outcome, for less fees.
It is evaluated as medium severity because the loss is constrained (fee difference unlikely to exceed 1%) and the market needs to be closed to profit.