Open c4-submissions opened 1 year ago
thereksfour marked the issue as satisfactory
thereksfour marked the issue as nullified
thereksfour marked the issue as confirmed for report
thereksfour marked the issue as not confirmed for report
thereksfour marked the issue as satisfactory
Lines of code
Vulnerability details
Lines of code
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/stargate/StargateRewardableWrapper.sol#L48
Vulnerability details
A vulnerability was identified within the
StargateRewardableWrapper
contract that could lead to the permanent lock of staked funds. The vulnerability was due to flawed deposit/withdraw/transfer logic which would revert under specific circumstances.Mitigation
PR #896 Three key modifications were made to the smart contracts in response to the suggested recommendation:
Change to StargatePoolFiatCollateral.sol: In situations where
_totalSupply
is 0, the _rate is now set to FIX_ONE to avoid any potential division by zero issues.Changes to StargateRewardableWrapper.sol: .
_claimAssetRewards()
has been modified to incorporate a conditional check forallocPoint
andtotalSupply()
before callingstakingContract.deposit(poolId, 0)
. In case these conditions are not met,stakingContract.emergencyWithdraw(poolId)
is called to safeguard the funds. . Modifications were also made to_afterDeposit()
and_beforeWithdraw()
, incorporating checks forpoolInfo.allocPoint
and conditionally callingstakingContract.deposit(poolId, _amount)
orstakingContract.withdraw(poolId, _amount)
andstakingContract.emergencyWithdraw(poolId)
as necessary.Conclusion
The changes (going beyond the suggested recommendation) made to the smart contracts successfully address the identified vulnerability, implementing a structured approach to handle emergency situations and ensuring that user funds remain accessible under all circumstances. This mitigation confirmation confirms the successful rectification of the identified issue, making the
StargateRewardableWrapper
and associated contracts more robust against potential adversarial actions.