Closed code423n4 closed 1 year ago
GalloDaSballo changed the severity to QA (Quality Assurance)
The finding is correct, but it's circumscribed to an initial time in which the admin has yet to set up the contract
For this reason, I believe this to be a distinct instance, but logically equivalent to a Front-run on Initialize, which we rate QA - Low Severity
L
GalloDaSballo marked the issue as grade-c
Finding is valid, but after scoring the QA Submissions the score is not sufficient
This issue details the scenario in which due to an integer overflow the contract admin is prevented from updating the epoch length for a certain period of time. Essentially a denial of service to admin.
It has nothing to do with contract initialization (and its frontrunning). The explained scenario happens after a complete initial setup was already done by admin.
Can you please review this again @GalloDaSballo @m19
Thank you for flagging @akshaysrivastav will double check
Have double checked and substantially the issue is:
setEpochLength
refreshYield
will revertuntil the first epoch
I believe Low Severity to be the most appropriate, a gotcha issue that is valid, but limited in time and impact (only before first epoch, only after initialization)
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/main/src/kuma-protocol/KIBToken.sol#L353 https://github.com/code-423n4/2023-02-kuma/blob/main/src/kuma-protocol/KIBToken.sol#L302
Vulnerability details
Impact
The
KIBToken.initialize
function sets the_lastRefresh
parameter to the next epoch timestamp into the future. While the_calculateCumulativeYield
calculates thetimeElapsed
value based uponblock.timestamp
and_lastRefresh
.Since in
initialize
the_lastRefresh
value is set into the future, until that timestamp is passed the first statement of_calculateCumulativeYield
will always get reverted due to integer underflow error.The
_calculateCumulativeYield
function is internally invoked in various functions like:Until the
_lastRefresh
timestamp is passed all these function invocations will get reverted. While most reverts seem intended, there are cases in which this forceful revert will cause issues:setEpochLength In the case where the
KUMA_SET_EPOCH_LENGTH_ROLE
wants to increase the_epochLength
his transaction will always get reverted. Hence preventing the increase of_epochLength
.refreshYield This is a public function the execution of which will get reverted until the
_lastRefresh
timestamp is passed. Hence preventing the refreshing of yields.Proof of Concept
Consider this scenario:
_lastRefresh
was set to a value <30 days into the future.KUMA_SET_EPOCH_LENGTH_ROLE
decides to update the epoch length to 45 days.setEpochLength
call gets reverted due to the underflow error.In this case, the
KUMA_SET_EPOCH_LENGTH_ROLE
cannot increase the epoch length until the_lastRefresh
timestamp is passed.Tools Used
Manual review
Recommended Mitigation Steps
Consider initialising the
_lastRefresh
to a back dated timestamp rather than a future timestamp.