Open hats-bug-reporter[bot] opened 1 year ago
Hi, thanks for the report. This issue has been commonly reported in the past audit. Since the tokens with external rewards are not borrowable, this would not be a concern. See
https://github.com/hats-finance/VMEX-0x050183b53cf62bcd6c2a932632f8156953fd146f/issues/57
Github username: @aviggiano Submission hash (on-chain): 0xa039eee6093179e3120b3882e02f6c6962b61db258f2256842a9b200ebafcad3 Severity: low
Description: Description\
In
ExternalRewardDistributor.sol:205
, a mismatch in the total supply of aToken and its underlying asset can cause a denial of service on thebeginStakingReward
function. The code assumes that the total supply of the aToken and the underlying should be the same. However, due to potential discrepancies like interest accumulation, aToken’s (an interest-bearing token) total supply can be more or less than the underlying. As a result, the smart contract may attempt to transfer more tokens than available leading to a DoS condition.Attack Scenario\
If an attacker can manipulate the total supply of either the aToken or its underlying, this could result in a discrepancy causing the attempts to transfer the same amount of tokens to and from the smart contract to fail. This can potentially cause the
beginStakingReward
function to cease operation.Attachments
Transfer the
totalSupply
from the underlying token.