Open hats-bug-reporter[bot] opened 1 year ago
The underlying will not be lent out. Any token with staking rewards will not be borrowable, as enforced by this check https://github.com/hats-finance/VMEX-0x050183b53cf62bcd6c2a932632f8156953fd146f/blob/fb396a3fa412e643de7d8a1fd8a0268ab3a2f993/packages/contracts/contracts/protocol/incentives/ExternalRewardDistributor.sol#L58
Github username: @bahurum Submission hash (on-chain): 0xf2bd7d7647b88e237cabb4bc4e6cdaf05532fd801331ec7000be3d8c7ac2a2d6 Severity: medium severity
Description:
Description
ExternalRewardDistributor
's functionsbeginStakingReward()
andremoveStakingReward()
will revert because they use thetotalSupply()
of theaToken
instead of theunderlying
balance of theaToken
as amount ofunderlying
to receive or send to thestakingContract
,Vulnerability details:
In
ExternalRewardDistributor.beginStakingReward()
all theunderlying
which is held in theaToken
contract should be staked.Instead the
amount
is set toIERC20(aToken).totalSupply()
which is always larger than the amount ofunderlying
available because a part of theunderlying
will be lent out. This will makeIERC20(underlying).safeTransferFrom()
revert.There is a case in which
beginStakingReward()
will not revert, and that is when nobody has borrowed yet theunderlying
from thataToken
.This could be the case if the admins of the tranche activate the staking rewards at launch.
In this case
beginStakingReward()
will not revert, but now for the same reason as aboveremoveStakingReward()
will always fail, so staking cannot be stopped.Recommendation
Use the current underlying balance of the aToken when staking and the current underlying balance of the staking contract when unstaking.