Closed c4-bot-3 closed 8 months ago
0xSorryNotSorry marked the issue as sufficient quality report
0xSorryNotSorry marked the issue as primary issue
Somewhat similar to #1026 so I'm going to comment something along the same lines :
Acknowledging this, disagree with severity (imo it's informational).
This is the expected behavior, users are supposed to check each other and if the mintRatio go down, updateMintRatio of others so that they are not earning more rewards unduly. And if mintRatio is going up, users are expected to update their position to benefit from the new ratio. Ultimately the governance is a game of who has relatively more tokens, so the users act as keepers to each other to make sure no undue rewards are earned, and individually they are expected to do the actions needed to maximize their rewards.
eswak (sponsor) acknowledged
eswak marked the issue as disagree with severity
Trumpero changed the severity to QA (Quality Assurance)
Trumpero marked the issue as grade-a
considering this issue as informational based on the sponsor's comment
Trumpero marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SurplusGuildMinter.sol#L293-L315 https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/main/src/loan/SurplusGuildMinter.sol#L250-L251
Vulnerability details
Impact
When the governor updates the mintRatio, all the users who stake are not required to call updateMintRatio This can result in lost rewards for users.
Proof of Concept
The following code can be added to the
SurplusGuildMinterUnitTest.sol
Tools Used
Foundry
Recommended Mitigation Steps
Add a modifier to the
getRewards
can help fix this issue. This way when the user is callinggetRewards
and themintRatio
has changed, the user will get updated rewards based on themintRatio
Assessed type
Timing