Gamers will not receive rewards for allocating to Aave and Beta vaults, while the vaults do generate yield
Summary
Since AaveProvider and BetaProvider don't track the exchange rate of respective protocol tokens, gamer rewards will always be 0 for these protocols. The protocols, however, will generate yield that will be distributed only to depositors.
Vulnerability Detail
Gamers are participants who allocate funds to yield generating protocols; as a reward, they receive a share of the yield. Depositing and withdrawing of funds, as well as accruing of rewards, happens during rebalancing of vaults. Vaults can be rebalanced once in two weeks, and, between rebalancings, funds generate yield in third-party protocols.
The yield generated by protocols is tracked during rebalnacings using the exchange rate of a protocol: since protocol generate yield, the exchange rate always increases, and the difference in exchange rates between two rebalancings is used to calculated to amount of yield generated between the rebalancings.
However, AaveProvider.exchangeRate and BetaProvider.exchangeRate return wrong exchange rates:
Gamers who allocate tokens to Aave and Beta vaults (while these vaults may generate high yield, compared to other protocols) will not receive rewards. The entire yield generated by the vaults will be distributed only among vault depositors.
Theezr
commented
1 year ago
Jeiwan
high
Gamers will not receive rewards for allocating to Aave and Beta vaults, while the vaults do generate yield
Summary
Since
AaveProviderandBetaProviderdon't track the exchange rate of respective protocol tokens, gamer rewards will always be 0 for these protocols. The protocols, however, will generate yield that will be distributed only to depositors.Vulnerability Detail
Gamers are participants who allocate funds to yield generating protocols; as a reward, they receive a share of the yield. Depositing and withdrawing of funds, as well as accruing of rewards, happens during rebalancing of vaults. Vaults can be rebalanced once in two weeks, and, between rebalancings, funds generate yield in third-party protocols.
The yield generated by protocols is tracked during rebalnacings using the exchange rate of a protocol: since protocol generate yield, the exchange rate always increases, and the difference in exchange rates between two rebalancings is used to calculated to amount of yield generated between the rebalancings.
However,
AaveProvider.exchangeRateandBetaProvider.exchangeRatereturn wrong exchange rates:AaveProvideralways returns 1;BetaProvideralways returns 0.If the exchange rate is always 1, then the numerator of the gamer rewards calculation formula will always be 0, and gamer rewards will always be 0. If the exchange rate is 0, gamer rewards won't be calculated at all.
Impact
Gamers who allocate tokens to Aave and Beta vaults (while these vaults may generate high yield, compared to other protocols) will not receive rewards. The entire yield generated by the vaults will be distributed only among vault depositors.
Code Snippet
AaveProvideralways return the exchange rate of 1: https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Providers/AaveProvider.sol#L112BetaProvideralways returns the exchange rate of 0: https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/Providers/BetaProvider.sol#L118Tool used
Manual Review
Recommendation
Consider correctly tracking the exchange rate of Aave and Beta tokens in the respective providers.