Open code423n4 opened 1 year ago
GalloDaSballo marked the issue as primary issue
Test is passing, and behaviour seems inconsistent
In lack of specific attack Medium Severity looks appropriate
m19 marked the issue as sponsor confirmed
We confirm this issue and intend to fix it
The Warden has shown how, due to a lack of checks, an inconsistent setting could be achieved, where the total sum of shares would be higher than what would be effectively distributed.
While the issue can be solved by changing again, because the finding shows a reasonable way to achieve an inconsistent state, which can cause loss of tokens, I agree with Medium Severity
GalloDaSballo marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/3f3d2269fcb3437a9f00ffdd67b5029487435b95/src/kuma-protocol/KUMAFeeCollector.sol#L174-L188
Vulnerability details
Impact
When calling KUMAFeeCollector.changePayees() with duplicate payees in
newPayees
, the call is not reverted and the result state will be incorrect.Proof of Concept
Contract KUMAFeeCollector does not support duplicate payees. The transaction will revert when trying to add duplicate payees in addPayee():
But, function KUMAFeeCollector.changePayees() forgets this constraint, which allows duplicate payees to be passed in
newPayees
. This will cause the contract to record an incorrect state and not work properly.For example, if
newPayees
contains duplicate payee A, all of its shares will be added to_totalShares
, but_shares[A]
will only record the last one. As a result, the sum of all recorded_shares
will less than_totalShares
.Test code for PoC:
Outputs:
Tools Used
VS Code
Recommended Mitigation Steps
KUMAFeeCollector.changePayees() should revert if there are duplicates in
newPayees
: