Closed code423n4 closed 2 years ago
No funds are at risk, this issue would just prevent users from depositing, which would easily be solved by migrating farm.
Sponsor is correct. There are no funds at risk with this exploit. At worst this is a gas issue for the user, but since warden did not mention gas it can't really be considered a gas report. Invalid.
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/farming/yVaultLPFarming.sol#L168-L173
Vulnerability details
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/farming/yVaultLPFarming.sol#L168-L173
accRewardPerShare
will monotonically increase. When the number becomes too large, most essential features of the contract can be broken due to overflow.A malicious early user/attacker can manipulate it and break the contract's essential features, and even freeze users' funds.
PoC
1 wei
,totalStaked
= 110 * 1e18
jpeg
toyVaultLPFarming
and calledclaim()
:newAccRewardsPerShare
= 0 + 10 1e18 1e36 / 1accRewardPerShare
become1e55
deposit
100,000 (1e23 wei), the transaction will fail due to overflow in_withdrawReward()
:(balanceOf[account] * (accRewardPerShare - userLastAccRewardPerShare[account]))
= 1e23 * (1e55 - 0) = 1e78type(uint256).max
< 1e78Recommendation
Consider requiring a minimum stake amount for the first depositor, that should make the manipulation much harder.