Protocol and referral fee would be permanently stuck

If there's a fee mechanism in a protocol, you should always check: where it goes, who's responsible, and whether a contract has the necessary approvals for transfer.

Here is a small bug found in the Curves protocol.

During the sale of a token Curves._transferFee subtracts all the fees from the selling price and transfers the remaining to the seller:

    function _transferFees(
        address curvesTokenSubject,
        bool isBuy,
        uint256 price,
        uint256 amount,
        uint256 supply
    ) internal {
        (uint256 protocolFee, uint256 subjectFee, uint256 referralFee, uint256 holderFee, ) = getFees(price);
        {
            bool referralDefined = referralFeeDestination[curvesTokenSubject] != address(0);
            {
                address firstDestination = isBuy ? feesEconomics.protocolFeeDestination : msg.sender;
@>                uint256 buyValue = referralDefined ? protocolFee : protocolFee + referralFee;
                uint256 sellValue = price - protocolFee - subjectFee - referralFee - holderFee;
                (bool success1, ) = firstDestination.call{value: isBuy ? buyValue : sellValue}("");
              ...
        }
        ...
    }

However, the protocolFee taken away is not transferred to the protocolFeeDestination in the remainder of the _transferFee function. It stays back in the contract with no other of way of retrieval.

Furthermore, referralFee is taken away without checking if a referral address actually exists. This leaves the referral fee in the contract, again no retrieval mechanism.

So if you have such a mechanism in your protocol, check now to see if it has the same problem.