search

code-423n4 / 2022-02-anchor-findings

0 stars 0 forks source link

Rewards distribution fails if no tokens are bonded for bLuna #57

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bAsset-contracts/contracts/anchor_basset_reward/src/global.rs#L70-L73

Vulnerability details

Rewards distribution fails if no tokens are bonded for bLuna

Impact

The hub’s UpdateGlobalIndex message sends the UpdateGlobalIndex message to the reward contract, which will return an error if the amount of bonded Luna tokens towards bLuna is zero in anchor-bAsset-contracts/contracts/anchor_basset_reward/src/global.rs. This error will prevent any reward distribution.

Proof of Concept

Contract : anchor-bAsset-contracts/contracts/anchor_basset_reward/src/global.rs Function : pub fn execute_update_global_index(...) Line 70 : 

    // Zero staking balance check
    if state.total_balance.is_zero() {
        return Err(StdError::generic_err("No asset is bonded by Hub"));
    }

Recommended Mitigation Steps

Its recommended to return Ok instead of returning an error.

    // Zero staking balance check
    if state.total_balance.is_zero() {
        return Ok(Response::new());
    }
GalloDaSballo commented 2 years ago

If no tokens bonded, no rewards distributed seems a completely fine scenario

albertchon commented 2 years ago

Agreed with @GalloDaSballo