AuraBalRewardPool charges a penalty to all users in the pool if the AuraLocker has been shut down

[code423n4]

Lines of code

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L176-L186

Vulnerability details

Impact

Users are charged the penalty due to admin actions, and they have no way to avoid it

Proof of Concept

When claiming their rewards, users are charged a penalty if they take the reward directly, rather than by passing it into the auraLocker. Those are the only two options:

File: contracts/AuraBalRewardPool.sol   #1

176       function getReward(bool _lock) public updateReward(msg.sender) returns (bool) {
177           uint256 reward = rewards[msg.sender];
178           if (reward > 0) {
179               rewards[msg.sender] = 0;
180               if (_lock) {
181                   auraLocker.lock(msg.sender, reward);
182               } else {
183                   uint256 penalty = (reward * 2) / 10;
184                   pendingPenalty += penalty;
185                   rewardToken.safeTransfer(msg.sender, reward - penalty);
186               }

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L176-L186

If the pool has been shut down, the auraLocker.lock() call will always revert, which means the user must take the penalty path:

File: contracts/AuraLocker.sol   #2

258       function _lock(address _account, uint256 _amount) internal {
259           require(_amount > 0, "Cannot stake 0");
260           require(!isShutdown, "shutdown");

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L258-L260

Tools Used

Code inspection

Recommended Mitigation Steps

Don't charge the penalty if the locker has been shut down

[0xMaharishi]

The auraBAL reward pool only runs for 2 weeks at the beginning of the protocol. Its highly unlikely the AuraLocker will be shut down.