The reclaimIncentive function of ConcentratedLiquidityPoolManager does not update the rewardsUnclaimed variable after some rewards are reclaimed. Thus, an attacker could add an incentive with a corresponding token, such as DAI, and reclaim the incentive multiple times to drain all the DAI within the manager contract.
sarangparikh22
commented
3 years ago
Handle
broccoli
Vulnerability details
Impact
The
reclaimIncentivefunction ofConcentratedLiquidityPoolManagerdoes not update therewardsUnclaimedvariable after some rewards are reclaimed. Thus, an attacker could add an incentive with a corresponding token, such as DAI, and reclaim the incentive multiple times to drain all the DAI within the manager contract.Proof of Concept
Referenced code: ConcentratedLiquidityPoolManager.sol#L59-L60
Recommended Mitigation Steps
Subtract
incentive.rewardsUnclaimedbyamountbefore the_transfer(which prevents reentrancy attacks).