[H] Users can lose already-accrued claimable amounts during liquidation
Summary
In the current implementation, the claim() function does not support the withdrawal of the claimable amount for positions that have been liquidated.
However, during liquidation, the code does not check if the current position's claimable amount is greater than zero before transferring it to the user.
Vulnerability Detail
The current implementation of the Fair Funding Alchemix Vault has a vulnerability that can result in the loss of unclaimed earnings that are rightfully owed to the token owner. The issue arises because the liquidate() function marks the position as liquidated without first calling the _claimable_for_token() function to settle the claimable amount of WETH that is owed to the token owner.
This claimable amount is the past earnings that have been generated by the protocol but not yet claimed by the token owner. This amount is owed to the token owner and represents a debt owed by the protocol to the owner.
The current implementation does not settle the claimable amount before marking the position as liquidated. As a result, after liquidation, the token owner loses the right to claim any of the past earnings that have been generated but not yet claimed, as the _claimable_for_token() function always returns 0 after a position has been marked as liquidated.
Impact
During liquidation, any unwithdrawn claimable amount for the position will be lost, causing a loss for the user.
oxcm
high
[H] Users can lose already-accrued claimable amounts during liquidation
Summary
In the current implementation, the
claim()
function does not support the withdrawal of the claimable amount for positions that have been liquidated. However, during liquidation, the code does not check if the current position's claimable amount is greater than zero before transferring it to the user.Vulnerability Detail
The current implementation of the Fair Funding Alchemix Vault has a vulnerability that can result in the loss of unclaimed earnings that are rightfully owed to the token owner. The issue arises because the liquidate() function marks the position as liquidated without first calling the _claimable_for_token() function to settle the claimable amount of WETH that is owed to the token owner.
This claimable amount is the past earnings that have been generated by the protocol but not yet claimed by the token owner. This amount is owed to the token owner and represents a debt owed by the protocol to the owner.
The current implementation does not settle the claimable amount before marking the position as liquidated. As a result, after liquidation, the token owner loses the right to claim any of the past earnings that have been generated but not yet claimed, as the _claimable_for_token() function always returns 0 after a position has been marked as liquidated.
Impact
During liquidation, any unwithdrawn claimable amount for the position will be lost, causing a loss for the user.
Code Snippet
https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/Vault.vy#L428-L463
https://github.com/sherlock-audit/2023-02-fair-funding/blob/main/fair-funding/contracts/Vault.vy#L318-L353
Tool used
Manual Review / ChatGPT PLUS
Recommendation
Consider change to:
Duplicate of #123