Open hats-bug-reporter[bot] opened 10 months ago
Thanks for the report. I have to say I don't understand the issue. You're depositing to a farm when it's not active - i.e. will not be paying out any rewards - so it is expected that claim_rewards
would return [0, 0]
. Why is your test expecting [1, 2]
?
Hi @deuszx thanks for your reply.
I just wanted to show the output rewards would be zero. So, I just compared with a random non zero value.
User would not be knowing that farm is closed and would deposit to earn some rewards . Unfortunately they would not receive any rewards. One way could be not allowing deposit when then farm is closed. So that the user can deposit into another farm which is active and this would benefit to both the user and to the protocol.
Let me see if I understand your submission correctly: You're saying that right now users are able to deposit when farm is closed. Correct?
If that's the only issue then it's NOT an issue. This is by design, I've explained it already but this is a design of the farm where it can be activated multiple times by the farm owner adding more rewards to it and farmers don't need to moving their LPs.
Let me see if I understand your submission correctly: You're saying that right now users are able to deposit when farm is closed. Correct?
If that's the only issue then it's NOT an issue. This is by design, I've explained it already but this is a design of the farm where it can be activated multiple times by the farm owner adding more rewards to it and farmers don't need to moving their LPs.
It's interesting .. thanks for sharing.
But still this could be cause of concern for user who wants to deposit and earn rewards.
Some of the issues that a user would encounter are,
First they will not be updated with any rewards since the farm is closed. . Second, this deposit would influence the user rewards when calculating the user_rewards_per_share where the total share is used to calculate. Note that the total share is still accrued whether the farm is open or closed. I beleive the second point would really cause of concern.
The way I would see to fix is, maintain the deposit in seperate variable and use it when the farm is opened again or simply not allowing the deposits.
Thank you for participation. After carefully reviewing the submission we've concluded that this issue is INVALID.
We hope you participate in the future audits of ink!.
@deuszx thanks for your feedback.. However I am wondering to see such a behaviour where the user will not be awarded any rewards for their staking.
@aktech297 users are supposed to deposit when they earn rewards. If a user thinks they will get reward although the farm ended, it is not an error/vuln of the protocol. My opinion.
@aktech297 , Users are earning rewards within farm activity period. Deposits are allowed even when farm is inactive b/c there may be a future farm planned so they are allowed to deposit now, at their convenience, and not required to wait until the farm actually starts.
Imagine the case where you know the farm starts today at 2AM - you don't want to wait until 2:01AM to deposit if you can do it now.
Users are expected to understand what they're doing and not use contracts blindly. Frontend will show the necessary info to the user. If user wants to interact with contract directly then it's expected to understand the protocol.
I think this case would be really cause of concern.
Second, this deposit would influence the user rewards when calculating the user_rewards_per_share where the total share is used to calculate. Note that the total share is still accrued whether the farm is open or closed. I beleive the second point would really cause of concern.
Overall the rewards value will be influenced by the deposits which is made during the inactive period. I think, less rewards would be calculated
I think this case would be really cause of concern.
Second, this deposit would influence the user rewards when calculating the user_rewards_per_share where the total share is used to calculate. Note that the total share is still accrued whether the farm is open or closed. I beleive the second point would really cause of concern. @deuszx any thoughts on this issue?
I'm not sure what's the concern here - users are expected to interact with the protocol in a certain why. Misuse is not a vulnerability.
To your second point - it wasn't the core of the original submission so I don't have to discuss it here, there was a time to submit vulnerabilities.
Interesting to see your thoughts on the issues . At one time it was towards the implementation and in other time it was towards user error. Really confused here with your points
I am not sure how it would be misusing.
When there is a function to notify the activeness of the pool, still the contract is allowing user to deposit. I would say that the protocol is misusing the user .. not the user misusing the protocol. I believe you would get the difference.
Note: the second point is already made when the contest is ongoing.
@aktech297 if you're disagreeing with the decision, please take it up with HatsFinance directly. There's a mediation process for this.
Github username: -- Twitter username: ak1 Submission hash (on-chain): 0x73f5776c4fa4eea1c3002c9af3a87c04e7d003f074d59791cb5693bfbff63c18 Severity: high
Description: Description\
The functions
deposit
anddeposit_all
is allowed to call even if the farm is closed. An user who deposit when the farm is closed will not accrue any rewards.Attack Scenario\
User who is depositing their money will not be awarded. In case the contract is destroyed when the farm is closed, these user will lost their funds.
Attachments
below, both deposit, deposit_all allows deposit even if farm is closed
https://github.com/Cardinal-Cryptography/common-amm/blob/bf4e48e3257894dcc8e6ab359321d1406533ad8b/farm/contract/lib.rs#L371-L387
https://github.com/Cardinal-Cryptography/common-amm/blob/bf4e48e3257894dcc8e6ab359321d1406533ad8b/farm/contract/lib.rs#L241-L253
the update function will not update the rewards. https://github.com/Cardinal-Cryptography/common-amm/blob/bf4e48e3257894dcc8e6ab359321d1406533ad8b/farm/contract/lib.rs#L111-L126
POC : use this script.
We would suggest to not to allow sort of deposit when the farm is closed.