search

code-423n4 / 2023-09-reserve-mitigation-findings

0 stars 0 forks source link

H-03 MitigationConfirmed #5

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

Vulnerability details

In the previous implementation After shutdown, checkpoints are stopped reward.reward_integral_for[user] No updates resulted in new users getting more rewards and possible theft of rewards.

Mitigation

PR 930 Modify that checkpoints are already executed, just not call IRewardStaking(convexPool).getReward(address(this), true); the mitigation resolved the original issue.

Suggestion

Not calling convexPool.getReward(), there is a slight loss of rewards for transferred users the feeling is that there is no need to ignore this call, convexPool.getReward() don't revert if shutdown

c4-judge commented 1 year ago

thereksfour marked the issue as unmitigated

c4-judge commented 1 year ago

thereksfour marked the issue as new finding

Simon-Busch commented 1 year ago

Updated the labels as requested by CCCZ

thereksfour commented 1 year ago

getReward() is not called after shutdown, which could lead to incorrect reward accumulation. Consider the simple scenario where Alice is the only depositor.

  1. Alice deposits 1000 tokens.
  2. 100 reward tokens are generated, Alice claims the reward, convexPool.getReward() is called, and Alice receives 100 reward tokens.
  3. another 100 reward tokens are generated, and the owner shoutdown the Wrapper.
  4. Alice executes withdraw(1000), since convexPool.getReward() is not triggered, her accumulated rewards will not be increased, but the balance will be changed to 0, So another 100 reward tokens are generated will be lost