Open code423n4 opened 2 years ago
The warden has shown how using a specific reward token can lead to reentrnacy for the function claimRewads
Because the finding is contingent on a specific token that enables the exploit, I believe Medium Severity to be appropriate
Lines of code
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConcurRewardPool.sol#L34
Vulnerability details
[ConcurRewardPool] Possible reentrancy when claiming rewards
Impact
Since the reward tokens are transferred before the balances are set to 0, it is possible to perform a reentrancy attack if the reward token has some kind of call back functionality e.g. ERC777. pBTC is an ERC777 token that is currently available on Convex. A similar attack occurred with imBTC on uniswap v1.
Proof of Concept
tokensToSend()
callback function through the ERC-1820 contract.tokensToSend()
function, he callsConcurRewardPool.claimRewards()
n-1 more times to drain contract.ConcurRewardPool.claimRewards()
for the first time, the pBTC reward tokens are transferred._callTokensToSend(from, from, recipient, amount, "", "");
is called inside thetransfer()
function._callTokensToSend
function definition to line 1147, you will notice that it callsIERC777Sender(implementer).tokensToSend(operator, from, to, amount, userData, operatorData);
on line 1159.tokensToSend()
function, this function will be called thus draining majority of the pBTC rewards available on theConcurRewardPool
contract.You can also find a walkthrough replicating a similar attack here.
Recommended Mitigation Steps