Zero Fee Manipulation
id: LS09M
title: Zero Fee Manipulation
baseSeverity: M
category: fee-evasion
language: solidity
blockchain: [ethereum]
impact: Users can bypass intended fee logic, drain bandwidth, or access premium actions for free
status: draft
complexity: medium
attack_vector: external
mitigation_difficulty: medium
versions: [">=0.6.0", "<latest"]
cwe: CWE-285
swc: SWC-136
๐ Description
- Zero fee manipulation occurs when a protocol that intends to charge users for access, minting, trading, or claiming fails to properly enforce fee payment, allowing attackers or users to:
- Bypass intended transaction costs,Exploit fee exemptions or incorrectly handled
msg.value == 0conditions. - Access premium or limited functions for free,Conduct spam or DoS attacks due to underpriced operations.
- This flaw undermines protocol revenue, fairness, and on-chain economics โ especially in mints, swaps, airdrops, or access-gated functions.
๐จ Vulnerable Code
function mint() external payable {
require(msg.value >= fee, "Fee too low");
_mint(msg.sender); // โ no fallback if msg.value == 0 and fee == 0
}
๐งช Exploit Scenario
Step-by-step abuse:
- A dApp enables public minting with a fee = 0.01 ETH.
- The contract lacks proper enforcement or incorrectly handles exemptions.
- An attacker sets up a contract to call mint() with msg.value = 0.
- Due to unchecked edge conditions (e.g., exemption not validated), mint succeeds.
- The attacker spams free mints, drains remaining supply, and resells on secondary markets.
Assumptions:
- An attacker exploits a poorly governed feeExempt flag to whitelist themselves.
โ Fixed Code
function mint() external payable {
require(!feeExempt[msg.sender] || msg.value >= fee, "Invalid fee");
_mint(msg.sender);
}
๐งญ Contextual Severity
- context: "Default"
severity: M
reasoning: "Leads to lost revenue but not catastrophic failure."
- context: "Minting protocol with high transaction volume"
severity: H
reasoning: "Significant economic loss due to unchecked minting."
- context: "Testnet or non-economic access controls"
severity: L
reasoning: "No meaningful value tied to execution."
๐ก๏ธ Prevention
Primary Defenses
- Enforce minimum msg.value with strict checks for all fee-requiring functions.
- Do not expose feeExempt modifiers without secure admin controls or public logging.
- Default fee logic should be opt-in only via verifiable whitelists, not opt-out.
Additional Safeguards
- Emit fee-related events (FeePaid, FeeBypassed) for traceability.
- Protect fee logic with tests that include msg.value = 0, gas limits, and edge flags.
- Deny zero-fee interactions unless explicitly authorized via signature or Merkle proof.
Detection Methods
- Slither: fee-evasion, msg.value-zero, insecure-exemption detectors.
- Fuzz testing for all payable functions with boundary conditions.
- Unit tests enforcing fee compliance across normal and exempted users.
๐ฐ๏ธ Historical Exploits
- Name: Mango Markets Exploit
- Date: October 2022
- Loss: $117 million
- Post-mortem: Link to post-mortem
๐ Further Reading
โ Vulnerability Report
id: LS09M
title: Zero Fee Manipulation
severity: M
score:
impact: 4
exploitability: 3
reachability: 4
complexity: 2
detectability: 5
finalScore: 3.75
๐ Justifications & Analysis
- Impact: High โ bypassed fees ruin supply control and cause revenue or fairness loss.
- Exploitability: Moderate โ often public and can be automated by bots.
- Reachability: Common in payable functions or exemption patterns.
- Complexity: Low โ a few misplaced conditionals often cause this.
- Detectability: High โ easily caught with tools or test harnesses.