Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deposit to Zero/Contract Address Leads To Indefinitely Lock the Rewards #34

Closed
code423n4 opened this issue Mar 12, 2022 · 2 comments
Closed

Deposit to Zero/Contract Address Leads To Indefinitely Lock the Rewards #34

code423n4 opened this issue Mar 12, 2022 · 2 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) invalid This doesn't seem right sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L156

Vulnerability details

Impact

During the code review, It has been observed that, on the NFT staking user can define "to" address with zero/contract address. When the user interface,

Proof of Concept

  1. Navigate to the following contract.

https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L156

    function _sendRewardsForNft(uint256 _nftId, address payable _to) internal {
        NFTInfo storage nft = nftInfo[_nftId];
        require(nft.isStaked, "ERR__NFT_NOT_STAKED");

        (address baseToken, , uint256 amount) = lpToken.tokenMetadata(_nftId);
        amount /= liquidityProviders.BASE_DIVISOR();

        PoolInfo memory pool = updatePool(baseToken);
        uint256 pending;
        uint256 amountSent;
        if (amount > 0) {
            pending = ((amount * pool.accTokenPerShare) / ACC_TOKEN_PRECISION) - nft.rewardDebt + nft.unpaidRewards;
            if (rewardTokens[baseToken] == NATIVE) {
                uint256 balance = address(this).balance;
                if (pending > balance) {
                    unchecked {
                        nft.unpaidRewards = pending - balance;
                    }
                    (bool success, ) = _to.call{value: balance}("");
                    require(success, "ERR__NATIVE_TRANSFER_FAILED");
                    amountSent = balance;
                } else {
                    nft.unpaidRewards = 0;
                    (bool success, ) = _to.call{value: pending}("");
                    require(success, "ERR__NATIVE_TRANSFER_FAILED");
                    amountSent = pending;
                }
            } else {
                IERC20Upgradeable rewardToken = IERC20Upgradeable(rewardTokens[baseToken]);
                uint256 balance = rewardToken.balanceOf(address(this));
                if (pending > balance) {
                    unchecked {
                        nft.unpaidRewards = pending - balance;
                    }
                    amountSent = _sendErc20AndGetSentAmount(rewardToken, balance, _to);
                } else {
                    nft.unpaidRewards = 0;
                    amountSent = _sendErc20AndGetSentAmount(rewardToken, pending, _to);
                }
            }
        }
        nft.rewardDebt = (amount * pool.accTokenPerShare) / ACC_TOKEN_PRECISION;
        emit LogOnReward(_msgSender(), baseToken, amountSent, _to);
    }

Scenario

  1. User deposit to NFT with zero address.
deposit(1,Zero_address)
  1. After the time, User is trying to withdraw rewards for the NFT.
extractRewards(1,UserAddress)
  1. User could not extract rewards due to the following check. The user is already set staker address to zero mistakenly. The staker is zero address.
        nft.staker = _to;

Tools Used

None

Recommended Mitigation Steps

Consider to address validation in the related parameter.

require(_to != 0x0000 & _to != address(this),"Can not stake to zero and contract address")
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 12, 2022
code423n4 added a commit that referenced this issue Mar 12, 2022
@code423n4
defsec issue #34
afda4d4
@ankurdubey521
Copy link
Collaborator

While I agree this is an issue I don't believe this puts any assets at risk since the protocol is working as expected, therefore this should have a severity rating of 1.

@ankurdubey521 ankurdubey521 added disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") labels Mar 30, 2022
@ankurdubey521 ankurdubey521 mentioned this issue Apr 28, 2022
Merged
@pauliax
Copy link
Collaborator

pauliax commented Apr 30, 2022

Agree with the sponsor, this should belong to the QA report of the warden: #112

@pauliax pauliax closed this as completed Apr 30, 2022
@pauliax pauliax added invalid This doesn't seem right and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Apr 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) invalid This doesn't seem right sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ankurdubey521 @pauliax @code423n4