Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If a new extra reward is added later, existing stakes will not be able to withdraw #252

Closed
code423n4 opened this issue Jun 2, 2022 · 2 comments
Closed

If a new extra reward is added later, existing stakes will not be able to withdraw #252

code423n4 opened this issue Jun 2, 2022 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L121-L129
https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L175-L178
https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L198-L201
https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L217-L220
https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L244-L247

Vulnerability details

Impact

When the user stakes token, it iterates over all the extraRewards and adds to the user stake:

  function stake(uint256 _amount) public updateReward(msg.sender) returns (bool) {
    ...
    //also stake to linked rewards
    for (uint256 i = 0; i < extraRewards.length; i++) {
        IRewards(extraRewards[i]).stake(msg.sender, _amount);
    }

When withdrawing it also iterates over all the list and claims the rewards:

  //also withdraw from linked rewards
  for (uint256 i = 0; i < extraRewards.length; i++) {
      IRewards(extraRewards[i]).withdraw(msg.sender, amount);
  }

The problem is that extraRewards list might change between the stake and withdrawal because a reward manager can add a new extra reward:

  function addExtraReward(address _reward) external returns (bool) {
    ...
    extraRewards.push(_reward);
    ...
  }

Existing stakes will not be updated and while the exact implementation of extra rewards is not clear, I expect that it should revert if the amount exceeds user's balance.

The same situation is present in both VE3DRewardPool and BaseRewardPool.

Recommended Mitigation Steps

I think claiming extra rewards should be extracted to a separate function where users can specify the exact rewards that they are interested in.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 2, 2022
code423n4 added a commit that referenced this issue Jun 2, 2022
@code423n4
pauliax issue #252
f67c623
@solvetony solvetony added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Jun 15, 2022
@solvetony
Copy link
Collaborator

Even if there is a new extra pool added after user stake, user will be able to claim reward from it also because it depends in the user balance of the main reward pool not the virtual pool

@GalloDaSballo
Copy link
Collaborator

From my understanding extraRewards are contracts that do not require a direct deposit nor interaction, see

https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VirtualBalanceRewardPool.sol#L61-L62

        return deposits.balanceOf(account);

So, while there may be additional risks that can come from the interaction of the BaseRewardsPool and the extraRewards, in lack of further details, I believe the finding to be invalid.

Please consider adding a coded POC to prove loose of funds / unfair distribution of rewards

@GalloDaSballo GalloDaSballo added the invalid This doesn't seem right label Jul 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @solvetony @code423n4