c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/PrimeLiquidityProvider.sol#L274-L278 https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/PrimeLiquidityProvider.sol#L249-L272 https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/PrimeLiquidityProvider.sol#L286-L301

Vulnerability details

Vulnerability Details

The PrimeLiquidityProvider.accrueTokens() and PrimeLiquidityProvider._initializeToken() functions rely on block.number for calculating token accruals and initializing token distributions. This approach can lead to inconsistent behavior when deployed on Layer 2 solutions like Arbitrum or Optimism (opBNB), where block.number doesn't operate the same way as it does on Ethereum mainnet.

getBlockNumber():

function getBlockNumber() public view virtual returns (uint256) {
    return block.number; //@audit-issue block.number means different things on different L2s    
}

For PrimeLiquidityProvider.accrueTokens():

uint256 blockNumber = getBlockNumber();
uint256 deltaBlocks = blockNumber - lastAccruedBlock[token_];

For PrimeLiquidityProvider._initializeToken():

uint256 blockNumber = getBlockNumber();
uint256 initializedBlock = lastAccruedBlock[token_];

Impact

Inconsistent Behavior: The functions may not work as intended when deployed on Layer 2 solutions, affecting the token accrual and distribution mechanisms.
Exploitability: Malicious actors may exploit the varying behaviors of block.number on different platforms to manipulate token accrual or initialization.

Tools Used

Manual review
Solodit

Recommended Mitigation Steps

Use block.timestamp: Consider using block.timestamp instead of block.number to measure the time between actions, as block.timestamp is more consistent across different blockchains.

Assessed type

Other

c4-pre-sort commented 1 year ago

0xRobocop marked the issue as duplicate of #132

c4-judge commented 12 months ago

fatherGoose1 changed the severity to QA (Quality Assurance)

c4-judge commented 11 months ago

fatherGoose1 marked the issue as grade-b

code-423n4 / 2023-09-venus-findings

Inconsistent Behavior in `accrueTokens()` and `_initializeToken()` Due to Use of `block.number` #117