Closed c4-bot-5 closed 3 months ago
dmvt marked the issue as primary issue
0xRektora (sponsor) confirmed
0xRektora marked the issue as disagree with severity
Low. While true, the probabilities of this happening are very thin.
dmvt marked issue #107 as primary and marked this issue as a duplicate of 107
dmvt marked the issue as satisfactory
Lines of code
https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/governance/twTAP.sol#L315 https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/governance/twTAP.sol#L601-L605
Vulnerability details
Description
TwTAP
uses thetwAML
algorithm to determine the amount of rewards a user gets for locking theirTAP
. There, after you've achieved a certain threshold your lock duration will affect the reward calculation using a state calledcumulative
. Which is tracked per pool.When you join the pool total average magnitude will be added or subtracted from the pool
cumulative
depending on if you lock longer or shorter than the average duration.TwTAP::participate
:When you exit your position, your contribution will be undone in
TwTAP::_releaseTap
:Both of these have an issue, on lines
L335
andL604
thepool.cumulative
can be set to0
. If this happens any participations would be blocked due to this row inTwTAP::participate
:Since you must pass in at least a week as duration,
magnitude
will always be>0
.A malicious user could use this to prevent other users from participating thus increasing their own share of the total rewards. If they at start, lock for maximum time,
4 weeks
, to create a lock with a highaverageMagnitude
. Then also lock for a very short period of time, to bringcumulative
low again.Then after
4 weeks
they can exit their position with a highaverageMagnitude
which would lower thepool.cumulative
to0
. Thus preventing any other users from participating.If they right before exiting also join with a new position with a duration just enough to not make
pool.cumulative
larger than their exitingposition.averageMagnitude
they can have a large share of the pool and simultaneously prevent others from joining, keeping their high share.The same user could also have many high
averageMagnitude
positions to combat other users exiting the pool raising thepool.cumulative
.Impact
A malicious user can manipulate the
pool.cumulative
to be0
thus preventing other users from joining. This is to their benefit since they can join right before having a large share of the pool that no one else can participate in.Proof of Concept
Test in
tap-token/test/TwTAP.t.sol
:Tools Used
Manual audit
Recommended Mitigation Steps
Consider implementing something similar to
TapiocaOptionBroker
. Where there is a fail safe that resetscumulative
to1 week
when it is0
.Assessed type
Math