Closed c4-bot-1 closed 4 months ago
Picodes marked the issue as duplicate of #141
Picodes changed the severity to 2 (Med Risk)
Picodes marked the issue as satisfactory
Picodes marked the issue as duplicate of #752
Picodes changed the severity to QA (Quality Assurance)
This previously downgraded issue has been upgraded by Picodes
Picodes marked the issue as not a duplicate
Picodes marked the issue as duplicate of #752
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/pools/PoolsConfig.sol#L63-L74 https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/rewards/RewardsEmitter.sol#L57-L77 https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/staking/StakingRewards.sol#L182-L206
Vulnerability details
Summary
When a token is unwhitelisted, it's Pools are also unwhitelisted. These Pools may have accrued awards between the last time
performUpkeep()
was called and it's subsequent unwhitelisting. However, once a Pool is unwhitelisted, it is no longer eligible to receive Liquidity Rewards meaning users who provided liquidity to these pools will lose any rewards accrued from Arbitrage Profits.Vulnerability Details
There may be arbitrage profits sitting in the Pools contract; a portion of which was generated by the Pool being unwhitelisted. There is no logic in
PoolsConfig::unwhitelistPool()
to account for those profits before unwhitelisting.After Pools have been unwhitelisted there is a check in
RewardsEmitter::addSALTRewards()
preventing any additional rewards being added toliquidityRewardsEmitter
; so the rewards will remain in thesaltRewards
contract. There is a subsequent check instakingRewards::addSALTRewards()
which prevents additional rewards being added so the protocol cannot manually add rewards to rectify the issue.POC
Add the test function below to
DAO.t.sol
and run. The test shows Alice is able to claim due rewards fromstakingRewards
which had already accrued for an unwhitelisted Pool. It then shows that any new attempt to add rewards vialiquidityRewardsEmitter::addSALTRewards
orstakingRewards::addSALTRewards
will revert.Impact
Liquidity Providers to either Pool of an unwhitelisted token will lose any due rewards generated between the last execution of the upkeep process and the token being unwhitelisted.
Tools Used
Manual Review Foundry Testing
Recommendations
As part of the token unwhitelisting prcoess and before removal of the two
PoolID
from_whitelist
storage variable; trigger upkeep steps to ensure that due rewards are updated so that they can be withdrawn by users.Assessed type
Governance