search

code-423n4 / 2023-10-asymmetry-mitigation-findings

0 stars 0 forks source link

[ADRIRO-NEW-M-04] CVX tracking misses to account for rewards #56

Open c4-submissions opened 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/asymmetryfinance/afeth/blob/74f340568480aa03d043e970fcf2578bea037cf6/contracts/strategies/votium/VotiumStrategyCore.sol#L206

Vulnerability details

Summary

The updated codebase now tracks CVX balances internally. While this is correctly handled in most operations, accounting fails to consider CVX tokens coming from claimed rewards.

Impact

CVX balances in the Votium strategy are now tracked internally. This is done by the introduction of a trackedCvxBalance variable that is updated whenever CVX is bought, sold or locked in Convex.

However, the implementation fails to consider potential CVX tokens coming from rewards. When claiming rewards from either Convex or Votium, CVX tokens might be transferred to the contract, and should be accounted for as part of trackedCvxBalance, since these are tokens owned by the protocol.

This wasn't an issue before, since CVX balance was simply queried on demand using balanceOf(). But with the introduction of custom tracking for CVX tokens, a failure to consider this scenario would mean not accounting these rewards as part of the owned CVX by the protocol.

Recommendation

When claiming rewards in claimRewards(), account for any difference in CVX balance and add that to the trackedCvxBalance variable.

    function claimRewards(
        IVotiumMerkleStash.ClaimParam[] calldata _claimProofs
    ) public onlyRewarder {
+       uint256 cvxBalanceBefore = IERC20(CVX_ADDRESS).balanceOf(address(this));
        claimVotiumRewards(_claimProofs);
        claimVlCvxRewards();
+       uint256 cvxBalanceAfter = IERC20(CVX_ADDRESS).balanceOf(address(this));
+       trackedCvxBalance += cvxBalanceAfter - cvxBalanceBefore;
    }

Assessed type

Other

c4-sponsor commented 11 months ago

toshiSat (sponsor) confirmed

d3e4 commented 11 months ago

Does Votium really send CVX as rewards? Isn't Votium rewarding in return for locking CVX which is then used to amass votes? How does it then make sense to pay rewards in CVX?

romeroadrian commented 11 months ago

Does Votium really send CVX as rewards? Isn't Votium rewarding in return for locking CVX which is then used to amass votes? How does it then make sense to pay rewards in CVX?

Yes. Feel free to go to Votium's website.

elmutt commented 11 months ago

https://github.com/asymmetryfinance/afeth/pull/214

c4-judge commented 10 months ago

0xleastwood marked the issue as primary issue

c4-judge commented 10 months ago

0xleastwood marked the issue as selected for report

c4-judge commented 10 months ago

0xleastwood marked the issue as satisfactory