Users can submit valid orders and avoid paying fees if they use a zero gas price. The computation of fees for each transaction is performed in the calculateFillResults function.
It uses the gas price selected by the user and the protocolFeeMultiplier coefficient.
Since the user completely controls the gas price of their transaction and the price could even be zero, the user could feasibly avoid paying fees.
Short term, select a reasonable minimum value for the protocol fee for each order or transaction. Long term, consider not depending on the gas price for the computation of protocol fees. This will avoid giving miners an economic advantage in the system.
- ToB Audit Ox Protocol Finding 7
- Data Validation
- Medium Severity
- Zero Gas -> Zero Fee
- Minimum Fee
- No tx.gasprice -> Fee
- Youtube Reference
- Medium Risk severity finding from ToB’s Audit of 0x Protocol