Ambitious Eggshell Panther - Withdrawing funds from a graduated market does not send fee to the protocolFeeAddress

[sherlock-admin2]

Ambitious Eggshell Panther

Medium

Withdrawing funds from a graduated market does not send fee to the protocolFeeAddress

Summary

Whenever a user buys or sells vote, appropriate fees is calculated which is sent to the protocolFeeAddress.
However when the withdrawGraduatedMarketFunds() is called the funds are sent to the authorized caller but it does not send any fee as it is missing the call to the applyFees().

Proof

As we can see below that when the authorized address call the withdrawGraduatedMarketFunds(), the funds stored in marketFunds is sent to the caller.

File: ReputationMarket.sol

   function withdrawGraduatedMarketFunds(uint256 profileId) public whenNotPaused nonReentrant {
    address authorizedAddress = contractAddressManager.getContractAddressForName(
      "GRADUATION_WITHDRAWAL"
    );
    if (msg.sender != authorizedAddress) revert UnauthorizedWithdrawal();

    _checkMarketExists(profileId);
    if (!graduatedMarkets[profileId]) revert MarketNotGraduated();

    if (marketFunds[profileId] == 0) revert InsufficientFunds();

    _sendEth(marketFunds[profileId]);
    emit MarketFundsWithdrawn(profileId, msg.sender, marketFunds[profileId]);
    marketFunds[profileId] = 0;
  }

But there is no call to applyFees(). Had the votes been sold, the protocol fee would have been sent but since withdrawGraduatedMarketFunds() is missing applyFees(), nothing is sent.

Impact

No protocol fee is sent to the protocolFeeAddress when funds from a graduated market (which still holds some funds) are withdrawn.

Tools Used

Manual Review

Recommendation

Calculate the fee for selling the remaining votes at the time of withdrawing from a graduated market & call applyFees() to send the fee to the protocolFeeAddress.