c4-bot-9 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/Upkeep.sol#L107

Vulnerability details

Impact

The rewards earned from the DAOs POL are distributed among the team wallet, then part of the remaining rewards are burned and the rest are kept as DAOs balance.

The issue, is that is possible for the DAO to claim SALT rewards without sending the team's share to the team wallet and without burning the amount that should be burned.

Proof of Concept

The first step during the upkeep functionality is to perform the upkeep on the liquidizer contract.

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/Upkeep.sol#L107

During that, if the amount of USDS to be burned is greater than the current balance of the liquidizer contract, then the code will withdraw some POL from the usds/dai and usds/salt pools:

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/stable/Liquidizer.sol#L123-L124

When removing liquidity, the code will decrease the dao's share and in doing so it will send to it some rewards proportional to the amount of shares decreased:

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/staking/StakingRewards.sol#L136-L137

It is important note that pool rewards do not necessary comes from the emitter, but they can be added by third party protocols via the addRewards function in the StakingRewards contract:

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/staking/StakingRewards.sol#L182

Tools Used

Manual Review

Recommended Mitigation Steps

Two options:

Save the amount of rewards received when withdrawing some POL, so they can be distributed and burned.
Make the call to claim all the rewards at the beginning of upkeep.