code423n4 commented 3 years ago

Handle

0xsanson

Vulnerability details

Impact

In ConcentratedLiquidityPoolManager, an user can claimReward of a subscribed position. In order to compute the correct amount, secondsUnclaimed needs to be calculated, but it's implemented incorrectly:

uint256 secondsUnclaimed = (maxTime - incentive.startTime) << (128 - incentive.secondsClaimed);

This line should be: uint256 secondsUnclaimed = ((maxTime - incentive.startTime) << 128) - incentive.secondsClaimed;.

Proof of Concept

https://github.com/sushiswap/trident/blob/c405f3402a1ed336244053f8186742d2da5975e9/contracts/pool/concentrated/ConcentratedLiquidityPoolManager.sol#L93 https://github.com/sushiswap/trident/blob/c405f3402a1ed336244053f8186742d2da5975e9/contracts/pool/concentrated/ConcentratedLiquidityPoolManager.sol#L110

Tools Used

editor

Recommended Mitigation Steps

Correct the computations.

sarangparikh22 commented 3 years ago

Duplicate of #41 Disagree with severity, should be 2.

alcueca commented 2 years ago

Functionality is unavailable, but assets are not lost. Severity 2.

code-423n4 / 2021-09-sushitrident-2-findings