Open code423n4 opened 2 years ago
The warden has shown a way to break the uin128 accounting system in place.
This is contingent on frontrunning the pool and depositing a small amount to cause the division to fail. Additionally, this will cause a DOS that prevents other people from depositing.
I believe that this could be unstuck by continuously (via loop) depositing 1 wei as to slowly increase the totalSupply again.
Mitigation can be attained by either refactoring or by ensuring that the first deposit is big enough (18 decimals) to keep numbers to rational values.
Because the finding is contingent on a setup and because tokens will be rescuable, I believe Medium Severity to be more appropriate
Lines of code
https://github.com/code-423n4/2022-02-concur/blob/02d286253cd5570d4e595527618366f77627cdaf/contracts/ConvexStakingWrapper.sol#L184-L188
Vulnerability details
https://github.com/code-423n4/2022-02-concur/blob/02d286253cd5570d4e595527618366f77627cdaf/contracts/ConvexStakingWrapper.sol#L184-L188
reward.integral
isuint128
, if an early user deposits with just1
Wei oflpToken
, and make_supply == 1
, and then transferring5e18
ofreward_token
to the contract.As a result,
reward.integral
can exceedtype(uint128).max
and overflow, causing the rewards distribution to be disrupted.Recommendation
Consider
wrap
a certain amount of initial totalSupply at deployment, e.g.1e8
, and never burn it. And consider using uint256 instead of uint128 forreward.integral
. Also, consdier lower1e20
down to1e12
.