Users lose premium gained when enrolled to mintRollovers
Summary
mintRollovers function in Carousel.sol is used to invest the winnings of one epoch into another epoch. The user must enlist into the system, which creates a QueueItem struct for the user, storing their position details. This function however does not take into account the change in the user's balance due to the premium earned, and only re-invests the old amount, losing the users premium.
Vulnerability Detail
mintRollovers is used to re-invest earnings from one epoch into another. It does this in a series of steps shown in the following steps.
First, it does some checks to make sure the user has won the epoch, and has enough funds to cover relayer fees.
if (queue[index].assets < relayerFee) {
index++;
continue;
}
Next, it withdraws both the assets and the emissions, burning the positions.
The code however never updates the value of queue[index].assets to reflect the new value after previous epoch ended. So the protocol only reinvests the old amount, which doesnt include the premium amount, and thus the end user loses all premium earnings. These earnings are sent to the carousel contract when the position is burnt, but they are never transferred out to the end user.
Update the value of queue[index].assets to reflect premium earned. The new value is already calculated and stored in the entitledShares variable, so a simple assignment before re-investing is enough.
carrot
high
Users lose premium gained when enrolled to
mintRolloversSummary
mintRolloversfunction in Carousel.sol is used to invest the winnings of one epoch into another epoch. The user must enlist into the system, which creates aQueueItemstruct for the user, storing their position details. This function however does not take into account the change in the user's balance due to the premium earned, and only re-invests the old amount, losing the users premium.Vulnerability Detail
mintRolloversis used to re-invest earnings from one epoch into another. It does this in a series of steps shown in the following steps.First, it does some checks to make sure the user has won the epoch, and has enough funds to cover relayer fees.
Next, it withdraws both the assets and the emissions, burning the positions.
It transfers out only the emissions, and then re-invests the assets (after deducting relayer fee) into another epoch.
The code however never updates the value of
queue[index].assetsto reflect the new value after previous epoch ended. So the protocol only reinvests the old amount, which doesnt include the premium amount, and thus the end user loses all premium earnings. These earnings are sent to the carousel contract when the position is burnt, but they are never transferred out to the end user.Impact
User unable to earn premium.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L361-L459
Tool used
Manual Review
Recommendation
Update the value of
queue[index].assetsto reflect premium earned. The new value is already calculated and stored in theentitledSharesvariable, so a simple assignment before re-investing is enough.Duplicate of #163