`pullRewards()` in `CvxConvergenceLocker.sol()` will revert so tokens can not recieved by `cvxRewardDistributor`

[hats-bug-reporter[bot]]

Github username: @0xRizwan Twitter username: 0xRizwann Submission hash (on-chain): 0x4c665b65e2610de30b50c3dc44e4f6d75a1acbb9db3d1d7de5a3d07e8b8b022c Severity: high

Description: Description\

pullRewards() in CvxConvergenceLocker.sol() can only be accessed by CvgCvxStakingPositionService contract and it is used to transfer the ERC20 tokens to the reward distributor i.e cvxRewardDistributor contract address during the processCvxRewards. pullRewards() is implemented as:

    function pullRewards(address processor) external returns (ICommonStruct.TokenAmount[] memory) {
        require(msg.sender == cvxStakingPositionService, "NOT_CVG_CVX_STAKING");

        /// @dev stake all CVX on the CVX1 contract
        cvx1.stake();

        /// @dev claim rewards
        CVX_LOCKER.getReward(address(this));

        uint256 rewardLength = rewardTokensConfiguration.length;
        address treasuryPod = cvgControlTower.treasuryPod();
@>      address rewardReceiver = address(cvgControlTower.cvxRewardDistributor());

     . . . some code

   }

To send the ERC20 token, the rewardReceiver is fetched from cvgControlTower.cvxRewardDistributor()) i.e from Convergence control tower.

cvgControlTower address used in CvxRewardDistributor.sol as:

    /// @dev Convergence control tower
    ICvgControlTowerV2 public constant cvgControlTower = ICvgControlTowerV2(0xB0Afc8363b8F36E0ccE5D54251e20720FfaeaeE7);

Reference contract- https://etherscan.io/address/0xB0Afc8363b8F36E0ccE5D54251e20720FfaeaeE7#readProxyContract

If you check the above address on Ethereum mainnet, it does not consist cvxRewardDistributor address, therefore the pullRewards() function will either revert or become unresponsive or will show an unexpected behaviour. This is due to missing address variables being called from the Convergence Control Tower contract.

Impact

pullRewards() from CvxConvergenceLocker.sol()will always revert due to missing cvxRewardDistributor implementation in cvgControlTower contract. It means pullRewards() is actually fetching a reward receiver address which is not implemented or does not exist. The function will show unexpected behaviour.

Therefore, cvxRewardDistributor wont be able to receive the reward ERC20 tokens so pullRewards() as called in processCvxRewards() wont be successful and would revert. CVX rewards can not be processed and would incure loss for everyone. This is loss of users as rewards can not be processed.

Recommmendation to fix\

In CvxConvergenceLocker.pullRewards(), do not fetch the value of cvxRewardDistributor from cvgControlTower as cvgControlTower does not implement this address, therefore it can not be called.

Pass the cvxRewardDistributor contract address as an argument in initialize() function to set the value of cvxRewardDistributor as similarly done for _cvxDelegateRegistry. This will ensure no reverts or unresponsiveness from pullRewards() function.

[kakarottosama]

If you look at CvgControlTowerV2.sol code, there is cvxRewardDistributor. The 0xB0Afc8363b8F36E0ccE5D54251e20720FfaeaeE7 is an upgradable contract, and will be updated to the latest CvgControlTowerV2

[PlamenTSV]

Same as #56