BohdanHrytsak
commented
4 months ago Thank you for the submission.
Support for certain custom tokens is not a problem in itself, unless explicitly stated to be supported or to work in this contract
We have a case where a large number of tokens will be stored and it is highly likely that these tokens will be there as a Pair for v2 (includes PairFees) or v3 AlgebraPool. Where we clearly work with them.
In the case of Farming, support for these tokens was not declared, or the expectation of their use is the same as if in other contracts where there may be standard erc20 tokens
Github username: -- Twitter username: yixxas Submission hash (on-chain): 0x3e6965fcb1953b458a248e262c77078525827fc4c7d48ef49cfcab4bc6151ad8 Severity: high
Description: Description\ https://github.com/Satsyxbt/Fenix-dex-v3/blob/652bfd4d1035c3d63af14522baa611e3d22d963f/src/farming/contracts/farmings/AlgebraEternalFarming.sol#L433-L434
Yield collected on AlgebraEternalFarming is lost if reward token or bonus reward token used is rebasing (Both USDB and WETH are rebasing on Blast).
The AlgebraEternalFarming contract accounts for total rewards that has been collected in
incentive.totalRewardandincentive.bonusReward. Users rewards are accounted for in therewardBalances[][]mapping.The reward tokens sits in this contract and continue to accrue yield since the default yield mode for both USDB and WETH is AUTOMATIC. Users can only claim up to the rewards that has been rewarded by the protocol, but not the additional rewards that are gained due to yield accrual. Fix: AlgebraEternalFarming should inherit
BlastERC20RebasingManageso that it can set ERC20 yield mode to CLAIMABLE. Note that the default yield mode is AUTOMATIC.Recommended Mitigation\ AlgebraEternalFarming should inherit
BlastERC20RebasingManageso that it can set ERC20 yield mode to CLAIMABLE. Note that the default yield mode is AUTOMATIC. AttachmentsProof of Concept (PoC) File
Revised Code File (Optional)