Open c4-bot-8 opened 1 month ago
Reopening for sponsor review
This has been fixed at: https://github.com/munchablesorg/munchables-common-core-latest/pull/14/files
The submission outlines a discrepancy in the rewards a user will acquire due to the update of an account's lock duration, and thereby the update of all their existing locks, not claiming Schnibble rewards and thus not updating the relevant entries in the AccountManager
.
The vulnerability effectively permits users to change their lock duration and acquire more rewards than they would normally receive as the update would retroactively apply to existingly-vested rewards. I believe a medium risk rating is fair as rewards would be distributed at a higher rate than expected and the problem can be capitalized maliciously.
alex-ppg marked the issue as satisfactory
alex-ppg marked the issue as selected for report
The Munchables sponsor (0xinsanity) confirmed this issue outside of github. Label has been added by C4 staff for transparency.
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/BonusManager.sol#L136 https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/AccountManager.sol#L363-L387 https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L249
Vulnerability details
Impact
User rewards are not harvested during lock duration updates, leading to inconsistencies in accrued rewards between users.
Proof of Concept
In the current
LockManager
implementation, schnibbles rewards are harvested during lock and unlock calls.Schnibbles reward rate depends on amount locked and the passed time.
There is also a bonus that depends on the user's lock duration setting.
Users have an option to change their lock duration during ongoing locks.
The issue arises when user rewards are not harvested before the update. This leads the protocol to assume that the user had the updated duration from the beginning of the lock, resulting in incorrect reward calculations.
Coded POC for
SpeedRun.t.sol
:In the provided test case, two players lock a similar amount of tokens for the same duration and then update it. Player 0 harvests rewards before duration update, while Player 1 does not. This scenario leads to a discrepancy in rewards.
Tools Used
Foundry
Recommended Mitigation Steps
Harvest user rewards before updating lock duration:
Assessed type
Other