Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reward can be locked in pool when initialize after startTime #211

Closed
code423n4 opened this issue May 24, 2022 · 2 comments
Closed

Reward can be locked in pool when initialize after startTime #211

code423n4 opened this issue May 24, 2022 · 2 comments
Labels
bug Something isn't working invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L205

Vulnerability details

Impact

  • After startTime anyone can call initialiseRewards() to init AuraBalRewardPool.
  • The attacker can used it to front run when someone transfer reward in. These tokens is locked forever in the contract because there is no way to emergency withdraw or set rewardRate again.

Proof of concept

  • https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L205
  • Attacker transfer duration amount of rewardToken to the pool, just enough for the attack.
  • Because of some reason (forget), after startTime, reward manager is going to init the reward pool. First he/she must transfer some amount of rewardToken into the pool.
  • Attacker see the pending TX and try to front run by calling initialiseRewards(). Now because it’s pass the startTime, attacker can call it and set rewardRate to very low value (= 1 in this case).
  • The amount of rewardToken that reward manager transfer into will be locked there because rewardRate is set and noone can call ​​initialiseRewards() again.

Tools Used

Manual Review

Recommended Mitigation Steps

You can allow reward manager to update rewardRate. Of course, we have to updateReward first before recalculate the rate or add function to withdraw the left over.

@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 24, 2022
code423n4 added a commit that referenced this issue May 24, 2022
@0xMaharishi 0xMaharishi added invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue labels May 27, 2022
@0xMaharishi
Copy link

Technically true, but this is not how this works. The reward tokens are transferred far ahead of time

@dmvt
Copy link
Collaborator

dmvt commented Jun 24, 2022

The code is working as expected. If the rewardManager fails to perform their duty before the start time, the contract can be easily redeployed. Invalid.

@dmvt dmvt closed this as completed Jun 24, 2022
@dmvt dmvt removed the 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value label Jun 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working invalid This doesn't seem right sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Development

No branches or pull requests

3 participants