Open sherlock-admin opened 1 year ago
@weitianjie2000 having some internal accounting seems reasonable here.
Think low severity is reasonable here
@T-Woodward why is this a low? Seems like a loss for Notional Treasury and NOTE token holders
Yeah I mean I just don't see it as such a big deal. No loss to user funds. If it started to happen we could just upgrade it out
I think given that the CodeArena issue was graded a High, I think Medium is ok as a severity here. I couldn't find the severity guidelines as a reference. The net effect here would be a small loss for the Notional Treasury and NOTE token.
xiaoming90
high
Malicious Users Can Deny Notional Treasury From Receiving Fee
Summary
Malicious users can deny Notional Treasury from receiving fees when rewards are reinvested.
Vulnerability Detail
The
claimRewardTokens
function will harvest the reward tokens from the Aura Pool, and the reward tokens will be transferred to the Balancer Vault. At lines 77-78, a portion of the reward tokens would be sent to theFEE_RECEIVER
. After clarifying with the sponsor, it was understood that theFEE_RECEIVER
would be set to Notional Treasury so that it would receive some of the accrued reward tokens.https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/mixins/AuraStakingMixin.sol#L61
Within the
claimRewardTokens
function, it will call theAURA_REWARD_POOL.getReward
to harvest the reward tokens. Within theclaimRewardTokens
function, it also uses the pre-balance and post-balance of the reward tokens to check the actual amount of reward tokens that are transferred into the vault.However, the issue is that anyone can claim reward tokens from Aura Pool on behalf of any address. Following is the implementation of the
getReward
function taken from Aura's BaseRewardPool4626 contract called by the vault for reference.https://etherscan.io/address/0xdcee1c640cc270121faf145f231fd8ff1d8d5cd4
Assume that a malicious user front runs a call to claim rewards tokens. When a keeper calls the
AURA_REWARD_POOL.getReward
to harvest the reward tokens, it will return no reward tokens, and therefore the difference between the pre-balance and post-balance of the reward tokens will amount to zero. Therefore, no reward tokens will be sent to theFEE_RECEIVER
(Notional Treasury) as a fee.Proof-of-Concept
The
test_claim_rewards_success
test case shows that under normal circumstances, the Notional treasury will receive a portion of the accrued BAL and AURA as fees.The
test_claim_rewards_success_frontrun
test case shows that if thegetReward
is front-run by an attacker, the Notional treasury will receive nothing.The following is the test script and its result.
Impact
Notional Treasury will not receive a portion of the accrued reward tokens as fees. Loss of assets for Notional protocol and its governance token holders.
Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/vaults/balancer/mixins/AuraStakingMixin.sol#L61
Tool used
Manual Review
Recommendation
It is recommended not to use the pre-balance and post-balance of the reward tokens when claiming reward tokens. A more robust internal accounting scheme needs to be implemented to keep track of actual reward tokens received from the pool so that the appropriate amount of the accrued reward tokens can be sent to the Notional Treasury.
Reference
A similar high-risk issue was found in the past audit report