Security: Reward Manipulation in function pendingReward

[smartsmartsec]

Impact

• Denial of Service (DoS): Manipulating lpSupply to zero can trigger a division by zero, causing transaction failures and potentially halting the reward distribution process.
• Economic Impact: Inflating lpSupply can dilute the reward per share, leading to reduced rewards for honest participants and undermining the economic incentives of the system.

Affected component(s)

function pendingRewardin MiniChefV3.sol

Attack vector(s)

An attacker can manipulate the lpSupply value through direct interactions with the contract or through other contracts that interact with it, affecting the division operation used in reward calculations.

Suggested description of the vulnerability for use in the CVE

The vulnerability identified in the smart contract's reward calculation mechanism could lead to severe consequences if exploited on the production/mainnet. The flaw centers around the manipulation of the lpSupply state variable, crucial for computing users' rewards. When lpSupply is manipulated to approach zero, it allows attackers to disproportionately increase the reward per share calculation, leading to massive undue earnings. This exploitation not only disrupts the reward distribution but can also result in significant financial losses for other participants.

Discoverer(s)/Credits

xFuzz

Proposed Solution

1. Validation of lpSupply Adjustments: Implement stringent checks to validate any adjustments to lpSupply, ensuring that modifications are only possible through secure, predefined paths. This includes validating inputs and state changes to prevent unauthorized manipulations.
2. Secure Reward Calculation Logic: Enhance the reward calculation logic by safeguarding against potential arithmetic errors. Use established libraries like SafeMath to handle all arithmetic operations, ensuring overflow and underflow are prevented.
3. Isolation of Reward Calculation: Isolate the reward calculation process from direct influence by external contracts or calls. This can be achieved by caching the lpSupply value at the start of each transaction and using this cached value throughout the reward calculation.
4. Periodic Audits and Monitoring: Conduct regular audits of the smart contract, focusing on the reward distribution mechanism and lpSupply management. Implement monitoring systems to alert developers and administrators of unusual activities or discrepancies in lpSupply.

Reference(s)

• https://etherscan.io/address/0x53eaD38ca96D562433427f7Bbfcac960cC1F2E2d?utm_source=immunefi
• https://slowmist.medium.com/slowmist-an-analysis-of-the-attack-on-safedollar-7fe7da7b8418

[lilPlumberBoy]

Hi @smartsmartsec please utilize our bug bounty program through immunefi for issues such as this: https://docs.cove.finance/security/bug-bounty. Also this same tool has created issues today as well and has closed them in preparation to add them to the bug bounty program