Bug report: make a pool to be a HoneyPot

This bug was found in the Curves protocol.

In short any CurveSubjects clould be turned to a HoneyPot by the creator of CurveSubject, which causes that users can only buy but can’t sell the curve tokens any more. Then malicious creators can sell their own tokens at a high price to make profit.

Let's take a look on the next code snippet:

    function _transferFees(
        address curvesTokenSubject,
        bool isBuy,
        uint256 price,
        uint256 amount,
        uint256 supply
    ) internal {
        (uint256 protocolFee, uint256 subjectFee, uint256 referralFee, uint256 holderFee, ) = getFees(price);
        {
            bool referralDefined = referralFeeDestination[curvesTokenSubject] != address(0);
            {
                address firstDestination = isBuy ? feesEconomics.protocolFeeDestination : msg.sender;
                uint256 buyValue = referralDefined ? protocolFee : protocolFee + referralFee;
                uint256 sellValue = price - protocolFee - subjectFee - referralFee - holderFee;
                (bool success1, ) = firstDestination.call{value: isBuy ? buyValue : sellValue}("");
                if (!success1) revert CannotSendFunds();
            }
            {
                (bool success2, ) = curvesTokenSubject.call{value: subjectFee}("");
                if (!success2) revert CannotSendFunds();
            }
            {
                (bool success3, ) = referralDefined
                    ? referralFeeDestination[curvesTokenSubject].call{value: referralFee}("")
                    : (true, bytes(""));
                if (!success3) revert CannotSendFunds();
            }

            if (feesEconomics.holdersFeePercent > 0 && address(feeRedistributor) != address(0)) {
                feeRedistributor.onBalanceChange(curvesTokenSubject, msg.sender);
                feeRedistributor.addFees{value: holderFee}(curvesTokenSubject);
            }
        }

1. First, please pay attention on L241 of Curves._transferFees() function: we can see the referralFeeDestination is always be called even when referralFee is 0, and if the call fails the whole transaction would revert.

2. And, we also find the referralFeeDestination could be set and updated by creator of CurveSubject at any time.

 function setReferralFeeDestination(
     address curvesTokenSubject,
     address referralFeeDestination_
) public onlyTokenSubject(curvesTokenSubject) {
     referralFeeDestination[curvesTokenSubject] = referralFeeDestination_;
}

By exploiting the above two facts, we can design the following malicious EvilReferralFeeReceiver contract. Once it was set as ReferralFeeDestination, the HoneyPot mode is enabled, users can only buy but can’t sell the related curve tokens any more.

You can read the full report here:

Link: https://code4rena.com/reports/2024-01-curves#h-03-attack-to-make-curvesubject-to-be-a-honeypot