Open code423n4 opened 12 months ago
0xSorryNotSorry marked the issue as primary issue
ElliotFriedman marked the issue as sponsor confirmed
emission owners are trusted actors and there can only be a single type of emission token reward stream per mToken.
alcueca changed the severity to QA (Quality Assurance)
alcueca marked the issue as grade-a
This is a duplicate of #312, which is QA
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/main/src/core/MultiRewardDistributor/MultiRewardDistributor.sol#L418-L425
Vulnerability details
Impact
There can only be one
emissionToken
per market. If two different users both want to do campaigns with the same token, even if at different times, they share the same "pool". This could either be misused by a user, to intentionally not fund the campaign stealing funds from the other. Or reward claims from one campaign spill over to the next one.Proof of Concept
Bob requests a campaign where they emit
USDC
for a market. They then never actually add anyUSDC
but let the rewards accumulate.Then, after Bobs "campaign" has ended, Alice also wants to do a campaign in
USDC
. She gets ownership of this configuration and configure their new endTime and speed. The issue is that Bobs previous accumulated rewards are still there and can drain Alice new campaign.Test in
MultiRewardDistributor.t.sol
,MultiRewardDistributorCommonUnitTest
:This PoC is a bit handwavey but it shows that the emission "pool" is shared across all users of that token. Hence, in practice, an
emissionToken
cannot be reused. As soon as someone usesUSDC
orWETH
as a reward token, they can never be used again in the same market.Tools Used
Manual audit
Recommended Mitigation Steps
Consider adding an ability to remove an
emissionConfig
. Or add more bookkeeping which owner adds which funds and can only extract rewards for their own funds.Assessed type
Other