code-423n4 / 2022-05-backd-findings

0 stars 0 forks source link

Fees from delisted pool still in reward handler will become stuck after delisting #135

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/Controller.sol#L62-L76

Vulnerability details

Impact

Unclaimed fees from pool will be stuck

Proof of Concept

When delisting a pool the pool's reference is removed from address provider:

https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/Controller.sol#L63

Burning fees calls a dynamic list of all pools which no longer contains the delisted pool:

https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/RewardHandler.sol#L39

Since the list no longer contains the pool those fees will not be processed and will remain stuck in the contract

Tools Used

Recommended Mitigation Steps

Call burnFees() before delisting a pool

GalloDaSballo commented 2 years ago

The warden has shown how, by removing a pool before calling burnFees, the removed pool will not receive the portion of fees that it should.

Because this finding related to loss of yield, I believe Medium Severity to be appropriate