Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No check for existing extraRewards during push #89

Open
code423n4 opened this issue Jun 1, 2022 · 1 comment
Open

No check for existing extraRewards during push #89

code423n4 opened this issue Jun 1, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DRewardPool.sol#L138
ttps://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DLocker.sol#L156

Vulnerability details

Impact

Similar to a reported I submitted for BaseRewardPool.sol (https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L126)

When adding extraRewards to the extra reward pool in https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DRewardPool.sol#L138 , there's no check for already existing address.
Assume a particular address takes up 2 slots out of 3, and a user withdraws staked extra rewards, the user will receive double the amount requested in https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DRewardPool.sol#L257-L258

Proof of Concept

  1. Assume rewardManager had mistakenly added the same address twice in addExtraReward()
  2. A user calls stake() , linked rewards is staked twice to the same address (unexpected behaviour I guess but not severe issue)
  3. Now, user calls withdraw() to withdraw linked rewards (this is already 2x in step 2)
  4. User will receive double the linked rewards due to the iteration in https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DRewardPool.sol#L257-L258

Tools Used

Manual review

Recommended Mitigation Steps

Guess a check for an already existing extraRewards can be added before Line 138

##Similar issue
**https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/VE3DLocker.sol#L156 - not so sure of the severity for this.
**https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/BaseRewardPool.sol#L126 - reported in a seperate report
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 1, 2022
code423n4 added a commit that referenced this issue Jun 1, 2022
@code423n4
cryptphi issue #89
df99291
@solvetony solvetony mentioned this issue Jun 15, 2022
Closed
@jetbrain10 jetbrain10 added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jun 15, 2022
@GalloDaSballo
Copy link
Collaborator

The warden has shown how, due to a misconfiguration error, a leak of value can happen, and other depositors (late withdrawers) would lose the rewards that they are entitled to.

Mitigation seems to be straightforward (add a duplicate check, or use a enumerableMap), that said, because of the risk of loss contingent on configuration, I agree with Medium Severity

@GalloDaSballo GalloDaSballo mentioned this issue Jul 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @jetbrain10 @code423n4