Open c4-submissions opened 10 months ago
Nice find. At first glance it doesnt seem to matter but when you pointed out out early market conditions resulting in less rewards it makes total sense that it will be a problem we will likely encounter
Ooppss, the reward threshold defined here should be changed to:
$$ \frac{0,000016} {ratio} * \sum_{i = 0}^{lockedBalances.length - 1} lockedBalances[i] $$
Meaning that:
ratio = 1e18
=> the rewards > 0,05ethratio = 5e17
=> the rewards > 0,1ethThanks! After discussing internally we decided to solve this by calling setMinAmount(0) on the safEth contract.
Will update this issue when thats done
0xleastwood marked the issue as primary issue
0xleastwood marked the issue as selected for report
elmutt (sponsor) confirmed
Lines of code
https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/votium/VotiumStrategyCore.sol#L302-L304
Vulnerability details
Vulnerability Details
Upon claiming Votium rewards,
applyRewards()
is intended to be invoked bi-weekly in order to exchange the tokens for eth and put the eth received back into the strategies. Based on the currentratio
it either stakes the amount into safETH or obtains some CVX by selling eth on Curve and then locks them to get vlCVX.Let's say the
safEthRatio < ratio
, which triggersISafEth(SAF_ETH_ADDRESS).stake{value: amount}
being invoked. And if theamount < ISafEth(SAF_ETH_ADDRESS).minAmount
. The whole re-investing strategy collapses.As of Sep. 2023, the Votium rewards are 0,000016 eth for 1 vlCVX per round, it means, we need at least 3125 vlCVX being delegated to the Votium in order to pass the threshold.
Impact
Recommended Mitigation Steps
Short term:
IAfEth(manager).depositRewards
into the try/catch block. And if one of the following conditions arises:just simply invoke
VotiumStrategy.depositRewards()
.Long term: N/A
Assessed type
Context