The dcaSell function calculates minOutput based on the taxToken amount instead of the expected assetToken amount. This results in a much lower minOutput than required, allowing significant slippage and potential loss of funds during swaps.
Calculate minOutput by first getting the expected assetToken amount using the router's getAmountsOut, then apply slippage to that value. For example:
uint256[] memory amountsOut = router.getAmountsOut(amountToSwap, path);
uint256 expectedAsset = amountsOut[1];
uint256 minOutput = (expectedAsset * (DENOM - slippage)) / DENOM;
The initialize function sets feeRate to 100 (1%) and creatorFeeRate to 3000 (30%), which sum to 3100 (31%) instead of 10000 (100%). This causes the creatorFee to be calculated as 99% of assetReceived instead of the intended 30%, leading to incorrect fund distribution.
Ensure that feeRate and creatorFeeRate sum to DENOM (10000) during initialization. Adjust the initial values to sum to 10000, e.g., feeRate=1000 (10%) and creatorFeeRate=9000 (90%), or add a require statement in initialize to validate the sum.
Line 119 – 120
The handleAgentTaxes function allows the executor to specify any minOutput value. A malicious or compromised executor can set a very low minOutput, allowing swaps to execute with significant slippage, resulting in loss of funds.
Calculate minOutput based on the current market rate (using router.getAmountsOut) and apply a maximum allowable slippage, instead of allowing the executor to set it arbitrarily.
Line 199 – 207
The fee calculation in _swapForAsset assumes feeRate + creatorFeeRate equals DENOM (10000), but during initialization, these values sum to 3100. This results in incorrect fee distribution, with the creator receiving 99% of the asset instead of the intended 30%.
Ensure that feeRate and creatorFeeRate always sum to DENOM. Add a require statement in the initialize function to validate this condition and correct the initial values.
Line 276 – 277
The _swapForAsset function calculates the creator's share as the remaining amount after deducting the platform fee, instead of using the creatorFeeRate. This results in the creator receiving the entire remaining balance after the platform fee, which may not align with the intended fee structure. For example, if feeRate is 1% (100) and creatorFeeRate is 30% (3000), the code incorrectly assigns 99% to the creator instead of 30%. This is due to the code not using creatorFeeRate in the calculation, leading to incorrect asset distribution.
Calculate the creator's fee using creatorFeeRate and ensure the sum of feeRate and creatorFeeRate equals DENOM. For example:
uint256 feeAmount = (assetReceived * feeRate) / DENOM;
uint256 creatorFee = (assetReceived * creatorFeeRate) / DENOM;
The dcaSell function calculates minOutput using the input taxToken amount instead of the expected assetToken amount. This results in incorrect slippage protection, potentially allowing swaps with much lower assetToken amounts than intended, leading to significant losses due to slippage.
Calculate minOutput based on the expected assetToken amount using the router's getAmountsOut and apply slippage to that value. For example:
uint256 expectedAmount = router.getAmountsOut(amountToSwap, path)[1];
uint256 minOutput = (expectedAmount * (DENOM - slippage)) / DENOM;
The initialize function sets feeRate = 100 and creatorFeeRate = 3000, summing to 3100 instead of the required 10000 (DENOM). This causes subsequent swaps to use an invalid fee split, distributing 1% to the platform and 99% to the creator instead of the intended 1% and 30%.
Correct the initial fee rates to sum to DENOM (e.g., feeRate = 100, creatorFeeRate = 9900 if intended as 1% + 99%). Ensure all fee updates via updateSwapParams validate the sum.
Line 119 – 120
The AgentTax contract caches the creator address from the agentNft upon first lookup. If the agentNft's founder is updated, the cached creator address is not refreshed, leading to fees being sent to the old address instead of the new one.
Remove the caching mechanism and fetch the latest creator address from agentNft each time, or provide a function to update the cached creator when the agentNft's data changes.
Line 224 – 231
The contract caches TBA and creator addresses from AgentNft upon first access. If these values change in AgentNft, the contract continues using outdated cached values, leading to incorrect tax distributions (e.g., sending funds to an old creator or TBA).
Remove caching and fetch the latest TBA and creator from AgentNft on every call, or implement a mechanism to refresh cached values when they change in AgentNft.
Line 221 – 231
The dcaSell function allows the executor to specify a maxOverride higher than the contract's maxSwapThreshold, enabling swaps beyond intended limits. This could lead to excessive slippage or market impact.
Replace maxOverride with the contract's maxSwapThreshold to enforce the configured limit, removing the parameter from dcaSell.
Line 323 – 333