Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users Will Lose Rewards If The Shelter Mechanism Is Enacted Before A Recent Checkpoint #115

Open
code423n4 opened this issue Feb 8, 2022 · 1 comment
Open

Users Will Lose Rewards If The Shelter Mechanism Is Enacted Before A Recent Checkpoint #115

code423n4 opened this issue Feb 8, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-02-concur/blob/shelter-client/contracts/ConvexStakingWrapper.sol

Vulnerability details

Impact

The shelter mechanism aims to protect the protocol's users by draining funds into a separate contract in the event of an emergency. However, while users are able to reclaim their funds through the Shelter.sol contract, they will still have a deposited balance from the perspective of ConvexStakingWrapper.sol.

Because users will only receive their rewards upon depositing/withdrawing their funds due to how the checkpointing mechanism works, it is likely that by draining funds to the Shelter.sol contract, users will lose out on any rewards they had accrued up and until that point. These rewards are unrecoverable and can potentially be locked within the contract if the reward token is unique and only belongs to the sheltered _pid.

Proof of Concept

https://github.com/code-423n4/2022-02-concur/blob/shelter-client/contracts/ConvexStakingWrapper.sol

Tools Used

Manual code review.

Recommended Mitigation Steps

Consider allowing users to call a public facing _checkpoint function once their funds have been drained to the Shelter.sol contract. This should ensure they receive their fair share of rewards. Careful consideration needs to be made when designing this mechanism, as by giving users full control of the _checkpoint function may allow them to continue receiving rewards after they have withdrawn their LP tokens.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Feb 8, 2022
code423n4 added a commit that referenced this issue Feb 8, 2022
@code423n4
leastwood issue #115
b424eb8
@leekt leekt added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Feb 18, 2022
@GalloDaSballo
Copy link
Collaborator

The warden has shown how using the Shelter can cause depositors to loose yield they had accrued.

Specifically the loss of yield will be for the time of new rewards accrued since the last _checkpoint

Moving to a global index (to compare user accrual against global rewards), or modifying the shelter to account for yield could be a potential way to mitigate.

The sponsor confirmed and I believe medium severity to be appropriate because this is a Owner Privilege + Yield Loss finding

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @leekt @code423n4