Open c4-submissions opened 11 months ago
toshiSat (sponsor) confirmed
Does Votium really send CVX as rewards? Isn't Votium rewarding in return for locking CVX which is then used to amass votes? How does it then make sense to pay rewards in CVX?
Does Votium really send CVX as rewards? Isn't Votium rewarding in return for locking CVX which is then used to amass votes? How does it then make sense to pay rewards in CVX?
Yes. Feel free to go to Votium's website.
0xleastwood marked the issue as primary issue
0xleastwood marked the issue as selected for report
0xleastwood marked the issue as satisfactory
Lines of code
https://github.com/asymmetryfinance/afeth/blob/74f340568480aa03d043e970fcf2578bea037cf6/contracts/strategies/votium/VotiumStrategyCore.sol#L206
Vulnerability details
Summary
The updated codebase now tracks CVX balances internally. While this is correctly handled in most operations, accounting fails to consider CVX tokens coming from claimed rewards.
Impact
CVX balances in the Votium strategy are now tracked internally. This is done by the introduction of a
trackedCvxBalance
variable that is updated whenever CVX is bought, sold or locked in Convex.However, the implementation fails to consider potential CVX tokens coming from rewards. When claiming rewards from either Convex or Votium, CVX tokens might be transferred to the contract, and should be accounted for as part of
trackedCvxBalance
, since these are tokens owned by the protocol.This wasn't an issue before, since CVX balance was simply queried on demand using
balanceOf()
. But with the introduction of custom tracking for CVX tokens, a failure to consider this scenario would mean not accounting these rewards as part of the owned CVX by the protocol.Recommendation
When claiming rewards in
claimRewards()
, account for any difference in CVX balance and add that to thetrackedCvxBalance
variable.Assessed type
Other