Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If token == BADGER, the _handleRewardTransfer function does not work #142

Closed
code423n4 opened this issue Jun 18, 2022 · 2 comments
Closed

If token == BADGER, the _handleRewardTransfer function does not work #142

code423n4 opened this issue Jun 18, 2022 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") valid

Comments

@code423n4
Copy link
Contributor

Lines of code

MyStrategy.sol#L405-L413
BaseStrategy.sol#L346-L353
Vault.sol#L396-L415

Vulnerability details

Impact

In MyStrategy.sol, when claiming bribes or sweeping reward tokens, the _handleRewardTransfer function is called which calls _sendToBadgerTree to send the amount of BADGER in the contract to the BADGER_TREE. However, the _processExtraToken (in BaseStrategy.sol) called after the transfer to BADGER_TREE will attempt to transfer the same amount of BADGER to the vault.

This leads to the sweepRewardToken, sweepRewards and claimBribesFromHiddenHand functions not working properly if BADGER is claimed.

Proof of Concept

The tests do not consider when the contract contains BADGER tokens, so the BADGER token should be added in the conftest.py test file.

Test code added to conftest.py:

@pytest.fixture
def badger(deployer):
    TOKEN_ADDRESS = BADGER
    token = interface.IERC20Detailed(TOKEN_ADDRESS)
    BADGER_WHALE = accounts.at(BADGER_WHALE_ADDRESS, force=True)  ## Address with tons of token

    token.transfer(deployer, token.balanceOf(BADGER_WHALE), {"from": BADGER_WHALE})
    return token

BADGER tokens should then be sent to the strategy contract and an attempt to sweep the BADGER should fail.

Test code added to test_custom.py:

def test_sweep_BADGER(badger, strategy, strategist, deployer):
    badger.transfer(strategy, badger.balanceOf(deployer), {"from": deployer})
    # test the strategy has BADGER tokens
    assert badger.balanceOf(strategy) > 0
    # test that sweep reverts
    with brownie.reverts():
        strategy.sweepRewards([badger], {"from": strategist})
    # sanity check the sweep was unsuccessful
    assert badger.balanceOf(strategy) > 0

Recommended Mitigation Steps

The purpose of the _processExtraToken function in BaseStrategy.sol seems to be to forward the extra token (BADGER) to the BADGER_TREE and to process fees. This should mean that the transfer to BADGER_TREE in _sendBadgerToTree is not necessary and can be removed.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 18, 2022
code423n4 added a commit that referenced this issue Jun 18, 2022
@code423n4
dipp issue #142
a670ce1
@GalloDaSballo
Copy link
Collaborator

This is a basic developer oversight, I agree with the finding

@GalloDaSballo GalloDaSballo added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jun 18, 2022
@GalloDaSballo
Copy link
Collaborator

Maybe Dup of M-02 @jack-the-pug

@jack-the-pug jack-the-pug added duplicate This issue or pull request already exists valid and removed valid labels Jul 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @code423n4 @jack-the-pug