Closed code423n4 closed 2 years ago
JPEG rewards not in the contract are already accounted for by calling vault.balanceOfJPEG
, which also returns the total amount of JPEG rewards claimable by the underlying strategy from Convex. These rewards are already accounted for in accRewardPerShare
before withdrawJPEG
is called.
Sponsor is correct. Invalid.
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/farming/yVaultLPFarming.sol#L154-L163
Vulnerability details
When the pending yield/rewards can be triggered and cause a surge of rewardPerShare for the stakers, there is a well-known attack vector is to take a large portion of the shares before the surge, then trigger the harvest and exit immediately after to steal part of the newly added rewards.
This can be done in about 1 block of time, and with a sufficient amount of funds, a large portion of the pending rewards can be stolen.
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/farming/yVaultLPFarming.sol#L154-L163
Anyone can call
vault.withdrawJPEG()
to getjpeg
rewards toYVaultLPFarming
:https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/yVault/yVault.sol#L186-L190
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/yVault/Controller.sol#L156-L166
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/yVault/strategies/StrategyPUSDConvex.sol#L300-L307
PoC
Given:
vault
tokens in total;yVault
got 1Mjpeg
of pending rewards.The attacker can:
deposit()
10Mvault
tokens;vault.withdrawJPEG()
to harvest thejpeg
rewards toYVaultLPFarming
;withdraw()
to get back 10Mvault
tokens and repay the loan;claim()
to claim 0.5Mjpeg
rewards;Recommendation
Consider changing reward to the gradual release model: