search

sherlock-audit / 2023-02-blueberry-judging

12 stars 5 forks source link

minhtrng - ICHI rewards not paid out when reopening a farm position #352

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

minhtrng

medium

ICHI rewards not paid out when reopening a farm position

Summary

When a position on the ICHIFarm gets reopened, ICHI rewards from the previous position are not send to the user and can be taken by someone else.

Vulnerability Detail

When shares of WIchiFarm are burned, rewards can be sent out to the msg.sender:

//WIchiFarm.burn
if (enIchi > stIchi) {
    ICHI.safeTransfer(msg.sender, enIchi - stIchi);
}

A burn of WIchiFarm shares can occur when a position in the farm is closed or when a position is opened while there is already an existing one:

// IchiVaultSpell.closePositionFarm
wIchiFarm.burn(collId, lpTakeAmt);
...
doRefund(ICHI);

// IchiVaultSpell.openPositionFarm
wIchiFarm.burn(collId, collSize);

The current implementation of IchiVaultSpell.openPositionFarm lacks the refund of ICHI tokens. Hence the rewards that a user should have gotten here remain in the Spell contract and can be taken by anyone who calls closePositionFarm.

Impact

Theft of rewards.

Code Snippet

https://github.com/sherlock-audit/2023-02-blueberry/blob/03048217af4ea396b3d8f96cb8edb3b23f0c9b47/contracts/spell/IchiVaultSpell.sol#L235-L242

Tool used

Manual Review

Recommendation

Add a call to doRefund(ICHI) in the IchiVaultSpell.openPositionFarm when a position gets reopened.

Duplicate of #158