Open code423n4 opened 1 year ago
minhquanym marked the issue as primary issue
Medium
severity.
0xRektora marked the issue as disagree with severity
0xRektora marked the issue as sponsor confirmed
dmvt changed the severity to 2 (Med Risk)
dmvt marked the issue as selected for report
dmvt changed the severity to 3 (High Risk)
dmvt changed the severity to 2 (Med Risk)
Lines of code
https://github.com/Tapioca-DAO/tapioca-yieldbox-strategies-audit/blob/05ba7108a83c66dada98bc5bc75cf18004f2a49b/contracts/stargate/StargateStrategy.sol#L236
Vulnerability details
Impact
Stargate token rewards are received during
lpStaking.deposit
but only accounted for incompound
. As a result, token rewards earned during_deposited
execution are permanently locked in the contract.Proof of Concept
In
lpStaking.deposit
, any unclaimed rewards are transferred to the sender.In
StargateStrategy
, thisdeposit
function is called in two places,compound
and_stake
(called by_deposited
).compound
contains logic to process any newly acquired reward tokens earned from it's call tolpStaking.deposit
._stake
on the other hand, does not contain any logic to process reward tokens acquired fromlpStaking.deposit
.As a result, since reward tokens are acquired during
_deposited
execution, but only the tokens acquired duringcompound
execution are actually processed, all tokens acquired during_deposited
execution are permanently locked in the contract.Recommended Mitigation Steps
It is recommended that
compound
swaps the entire balance of reward tokens rather than just the newly acquired balance.Assessed type
Token-Transfer