Open hats-bug-reporter[bot] opened 4 months ago
If you look at CvgControlTowerV2.sol
code, there is cvxRewardDistributor
.
The 0xB0Afc8363b8F36E0ccE5D54251e20720FfaeaeE7
is an upgradable contract, and will be updated to the latest CvgControlTowerV2
Same as #56
Github username: @0xRizwan Twitter username: 0xRizwann Submission hash (on-chain): 0x4c665b65e2610de30b50c3dc44e4f6d75a1acbb9db3d1d7de5a3d07e8b8b022c Severity: high
Description: Description\
pullRewards()
inCvxConvergenceLocker.sol()
can only be accessed byCvgCvxStakingPositionService
contract and it is used to transfer the ERC20 tokens to the reward distributor i.ecvxRewardDistributor
contract address during the processCvxRewards.pullRewards()
is implemented as:To send the ERC20 token, the
rewardReceiver
is fetched fromcvgControlTower.cvxRewardDistributor())
i.e from Convergence control tower.cvgControlTower address used in CvxRewardDistributor.sol as:
Reference contract- https://etherscan.io/address/0xB0Afc8363b8F36E0ccE5D54251e20720FfaeaeE7#readProxyContract
If you check the above address on Ethereum mainnet, it does not consist
cvxRewardDistributor
address, therefore thepullRewards()
function will either revert or become unresponsive or will show an unexpected behaviour. This is due to missing address variables being called from the Convergence Control Tower contract.Impact
pullRewards()
fromCvxConvergenceLocker.sol()
will always revert due to missingcvxRewardDistributor
implementation incvgControlTower
contract. It meanspullRewards()
is actually fetching a reward receiver address which is not implemented or does not exist. The function will show unexpected behaviour.Therefore,
cvxRewardDistributor
wont be able to receive the reward ERC20 tokens sopullRewards()
as called inprocessCvxRewards()
wont be successful and would revert. CVX rewards can not be processed and would incure loss for everyone. This is loss of users as rewards can not be processed.Recommmendation to fix\
In
CvxConvergenceLocker.pullRewards()
, do not fetch the value ofcvxRewardDistributor
fromcvgControlTower
ascvgControlTower
does not implement this address, therefore it can not be called.Pass the
cvxRewardDistributor
contract address as an argument ininitialize()
function to set the value ofcvxRewardDistributor
as similarly done for_cvxDelegateRegistry
. This will ensure no reverts or unresponsiveness frompullRewards()
function.