GalloDaSballo - M-01 Loss of Reward Tokens for AuraStaking

[sherlock-admin]

GalloDaSballo

medium

M-01 Loss of Reward Tokens for AuraStaking

Summary

AuraStakingMixin assumes extra rewards come from the gauge.

They will instead come from BaseRewardPool

Vulnerability Detail

Extra rewards for Aura are not coming from the gauge, but rather from the extraRewards field in the RewardPool

Because of this, any additional reward token added via the Aura system will not be tracked, won't be claimed and will remain stuck in the BaseRewardPool

Impact

Loss of Yield for Additional tokens, Protocol X decides to Airdrop / Do liquidity mining in their own token. Those tokens won't be claimable as they will be added to BaseRewardPool4626 and not to the Gauge.

Code Snippet

See Aura Code: https://github.com/aurafinance/convex-platform/blob/c570b332a074182d699015c598594e42d0f6b95b/contracts/contracts/BaseRewardPool.sol#L125

Tool used

Manual Review

Recommendation

Replace

 function _rewardTokens() private view returns (IERC20[] memory tokens) {
        uint256 rewardTokenCount = LIQUIDITY_GAUGE.reward_count() + 2;
        tokens = new IERC20[](rewardTokenCount);
        tokens[0] = BAL_TOKEN;
        tokens[1] = AURA_TOKEN;
        for (uint256 i = 2; i < rewardTokenCount; i++) {
            tokens[i] = IERC20(LIQUIDITY_GAUGE.reward_tokens(i - 2));
        }
    }

With

 function _rewardTokens() private view returns (IERC20[] memory tokens) {
        uint256 rewardTokenCount = REWARDS_POOL. extraRewardsLenght() + 2;
        tokens = new IERC20[](rewardTokenCount);
        tokens[0] = BAL_TOKEN;
        tokens[1] = AURA_TOKEN;
        for (uint256 i = 2; i < rewardTokenCount; i++) {
            tokens[i] = IERC20(REWARDS_POOL. extraRewards(i - 2));
        }
    }

[jeffywu]

@weitianjie2000

[jeffywu]

This issue is invalid, the Aura liquidity gauge calls through to the BaseRewardPool.