The ConvexCurveLPVault.sol contract allows users to earn a yield on curve token deposits. Rewards are paid out in native CRV and CVX tokens but the reward manager of the base pool may opt to add extra rewards. Because the reward manager has the ability to extend the list of extra rewards, they can extend it such that the processYield() function is unable to execute within a single block. As a result, the protocol effectively loses out on all yield accrued by user's deposits. This yield is forever locked in the contract as the yield is never transferred out from the vault contract.
Recommended Mitigation Steps
Consider restricting the number of extra rewards by only iterating through the first X number of tokens in processYield().
sforman2000
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/ConvexCurveLPVault.sol#L87-L111
Vulnerability details
Impact
The
ConvexCurveLPVault.solcontract allows users to earn a yield on curve token deposits. Rewards are paid out in nativeCRVandCVXtokens but the reward manager of the base pool may opt to add extra rewards. Because the reward manager has the ability to extend the list of extra rewards, they can extend it such that theprocessYield()function is unable to execute within a single block. As a result, the protocol effectively loses out on all yield accrued by user's deposits. This yield is forever locked in the contract as the yield is never transferred out from the vault contract.Recommended Mitigation Steps
Consider restricting the number of extra rewards by only iterating through the first
Xnumber of tokens inprocessYield().