If The Staking Token Exists In Both StakingRewards.sol And ConvexStakingWrapper.sol Then It Will Be Possible To Continue Claiming Concur Rewards After The Shelter Has Been Activated
#117
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
3 (High Risk)
leekt
added
the
sponsor confirmed
|
The warden has shown that because the shelter mechanism doesn't wipe the balance in the contract, those same tokens can be used to further break the accounting of the contract, with the goal of extracting further rewards. While I believe the wardens work is commendable and have considered High Severity because the accounting of the protocol has been broken, I believe Medium Severity to be more appropriate because the finding:
|
GalloDaSballo
added
2 (Med Risk)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-02-concur/blob/shelter-client/contracts/ConvexStakingWrapper.sol
https://github.com/code-423n4/2022-02-concur/blob/shelter-client/contracts/MasterChef.sol
https://github.com/code-423n4/2022-02-concur/blob/shelter-client/contracts/StakingRewards.sol
Vulnerability details
Impact
Staking tokens are used to deposit into the
StakingRewards.solandConvexStakingWrapper.solcontracts. Once deposited, the user is entitled to Concur rewards in proportion to their staked balance and the underlying pool'sallocPointin theMasterChef.solcontract.The
Shelter.solmechanism allows the owner of theConvexStakingWrapper.solto react to emergency events and protect depositor's assets. The staking tokens can be withdrawn after the grace period has passed. However, these staking tokens can be deposited into theStakingRewards.solcontract to continue receiving Concur rewards not only forStakingRewards.solbut also for theirConvexStakingWrapper.soldeposited balance which has not been wiped. As a result, users are able to effectively claim double the amount of Concur rewards they should be receiving.Proof of Concept
https://github.com/code-423n4/2022-02-concur/blob/shelter-client/contracts/MasterChef.sol
https://github.com/code-423n4/2022-02-concur/blob/shelter-client/contracts/StakingRewards.sol
https://github.com/code-423n4/2022-02-concur/blob/shelter-client/contracts/ConvexStakingWrapper.sol
Tools Used
Manual code review.
Recommended Mitigation Steps
Ensure that staking tokens cannot be deposited in both the
StakingRewards.solandConvexStakingWrapper.solcontracts. If this is intended behaviour, it may be worthwhile to ensure that the sheltered users have their deposited balance wiped from theMasterChef.solcontract upon being sheltered.The text was updated successfully, but these errors were encountered: