Open code423n4 opened 1 year ago
minhquanym marked the issue as primary issue
0xShaito marked the issue as disagree with severity
It would still return 0. Just a tiny bit more gas usage at max. CVX rewards from convex are dependant on CRV rewards as the protocol mints CVX prorrata to the CRV rewarded
dmvt changed the severity to QA (Quality Assurance)
dmvt marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-07-amphora/blob/main/core/solidity/contracts/core/Vault.sol#L210 https://github.com/code-423n4/2023-07-amphora/blob/main/core/solidity/contracts/core/AMPHClaimer.sol#L114 https://github.com/code-423n4/2023-07-amphora/blob/main/core/solidity/contracts/core/AMPHClaimer.sol#L169
Vulnerability details
Impact
Lack of the check for the case of the
_cvxTotalRewards == 0
in the condition, which lead to the unexpected-behavior of the AmphClaimer#claimable()
function.Proof of Concept
Within the Vault#
claimRewards()
, the AmphClaimer#claimable()
would be called like this: https://github.com/code-423n4/2023-07-amphora/blob/main/core/solidity/contracts/core/Vault.sol#L210Within the AmphClaimer#
claimable()
, the AMPHClaimer#_claimable()
would be called like this: https://github.com/code-423n4/2023-07-amphora/blob/main/core/solidity/contracts/core/AMPHClaimer.sol#L114Within the AMPHClaimer#
_claimable()
, if amounts are zero, or AMPH balance is zero, all zeros would simply be returned like this: https://github.com/code-423n4/2023-07-amphora/blob/main/core/solidity/contracts/core/AMPHClaimer.sol#L169Within the condition at the line AMPHClaimer.sol#L169 in the AMPHClaimer#
_claimable()
above, the following cases is supposed to be checked:_crvTotalRewards == 0
_cvxTotalRewards == 0
_amphBalance == 0
However, within the condition at the line AMPHClaimer.sol#L169 in the AMPHClaimer#
_claimable()
above, there is no check for the case of the_cvxTotalRewards == 0
.Although all zeros are supposed to be returned if amounts are zero or AMPH balance like this (which is written in the NatSpec), the AMPHClaimer#
_claimable()
does not return all zeros.Thus, this lead to the unexpected-behavior of the AmphClaimer#
claimable()
function.Tools Used
Recommended Mitigation Steps
Within the AMPHClaimer#
_claimable()
, consider adding a check for the case of the_cvxTotalRewards == 0
like this:Assessed type
Invalid Validation