Attacker can steal future rewards of `WJLP` from other users

[code423n4]

Handle

WatchPug

Vulnerability details

In the current design/implementation of WJLP and collateral redeem system, adding JLP as collateral via WJLP can obtain rights to the future rewards.

However, when the collaterals are redeemed (from other borrowers), the rights to future rewards are not revoked.

This can be exploited as an economic attack vector.

PoC

Given:

• There are $1M worth of JLP tokens wrapped as WJLP and used as collateral;
• JLP is the only whitelisted collateral.

The attacker can do the following steps:

1. Wrap $1M worth of JLP to WJLP, the WJLP.userInfo[attacker] is the amount of $1M worth of JLP;
2. Borrow 1M YUSD using the WJLP received as collateral;
3. Call redeemCollateral() to redeem $1M worth of JLP with 1M YUSD;

WJLP.userInfo[attacker] is still the amount of $1M worth of JLP, and can continuously call WJLP.getPendingRewards() to collect the rewards.

The attack can be amplified with falshloan.

[kingyetifinance]

@LilYeti : In TroveManagerRedemptions, https://github.com/code-423n4/2021-12-yetifinance/blob/main/packages/contracts/contracts/TroveManagerRedemptions.sol#L311 WJLP.updateReward is called so this specific attack vector would not be possible, as the amount of reward that the borrower would be eligible for is updated to 0.

[alcueca]

The attack vector is proven to be not possible, but the functionality is still incorrect as to spec, downgraded to low severity.