When rolling over, entitled shares are neither send nor rolled over. The ERC1155 tokens that grant access to those shares are burned however, hence locking the entitled funds in the contract.
Vulnerability Detail
The function mintRollovers calculates entitled shares and entitled emissions for an amount of assets, but only transfers the emissions:
uint256 entitledShares = previewWithdraw(
queue[index].epochId,
queue[index].assets
...
_burn(
queue[index].receiver,
queue[index].epochId,
queue[index].assets
);
// transfer emission tokens out of contract otherwise user
// could not access them as vault shares are burned
_burnEmissions(
queue[index].receiver,
queue[index].epochId,
queue[index].assets
);
// NOTE emission token is a known token which has no before
// transfer hooks which makes transfer safer
emissionsToken.safeTransfer(
queue[index].receiver,
previewEmissionsWithdraw(
queue[index].epochId,
queue[index].assets
)
);
...
//WARDEN-NOTE: entitled shares not transferred above and not rolled over below
uint256 assetsToMint = queue[index].assets - relayerFee;
_mintShares(queue[index].receiver, _epochId, assetsToMint);
minhtrng
high
Entitled shares not handled during rollover
Summary
When rolling over, entitled shares are neither send nor rolled over. The ERC1155 tokens that grant access to those shares are burned however, hence locking the entitled funds in the contract.
Vulnerability Detail
The function
mintRolloverscalculates entitled shares and entitled emissions for an amount of assets, but only transfers the emissions:Impact
Loss of funds
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/ae7f210d8fbf21b9abf09ef30edfa548f7ae1aef/Earthquake/src/v2/Carousel/Carousel.sol#L408-L437
Tool used
Manual Review
Recommendation
Transfer entitled shares (minus the amount to rollover) to the user or rollover all of it.
Duplicate of #163