c4-pre-sort
commented
11 months ago raymondfam marked the issue as low quality report
Closed c4-submissions closed 11 months ago
c4-pre-sort
commented
11 months ago raymondfam marked the issue as low quality report
c4-pre-sort
commented
11 months ago raymondfam marked the issue as primary issue
raymondfam
commented
11 months ago Insufficient proof.
c4-judge
commented
11 months ago fatherGoose1 marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDe.sol#L90
Vulnerability details
Impact
the rewards transfer in will fail when current VESTING_PERIOD is not finished.
Proof of Concept
"function getUnvestedAmount() public view returns (uint256)" is used to calculate the rest rewards in current VESTING_PERIOD. if the period is finished, the result will be 0. https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDe.sol#L89-L99 . The function above try to calculate the rewards and start a new VESTING_PERIOD, while Line 90, "if (getUnvestedAmount() > 0) revert StillVesting();" show that if current period has unvested rewards the call will revert, which is an error.
Tools Used
Recommended Mitigation Steps
reverse the if condition block into "if (getUnvestedAmount() == 0) revert StillVesting();" or "if (!(getUnvestedAmount() > 0)) revert StillVesting();"
Assessed type
Error