search

sherlock-audit / 2023-03-sense-judging

4 stars 0 forks source link

Bauer - Users who add liquidity to space will lose all their reward #56

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Bauer

high

Users who add liquidity to space will lose all their reward

Summary

When users remove liquidity from space, the protocol does not transfer the reward to users. Users will lose all their reward

Vulnerability Detail

When users remove liquidity from space, the protocol will call the balancerVault.exitPool() to burn the lp token and send staked token and reward to usres. However ,the protocol does not transfer the reward to users.

function _removeLiquidityFromSpace(
        bytes32 poolId,
        address pt,
        address target,
        uint256[] memory minAmountsOut,
        uint256 lpBal
    ) internal returns (uint256 tBal, uint256 ptBal) {
        // ExitPoolRequest params
        (ERC20[] memory tokens, , ) = balancerVault.getPoolTokens(poolId);
        BalancerVault.ExitPoolRequest memory request = BalancerVault.ExitPoolRequest({
            assets: _convertERC20sToAssets(tokens),
            minAmountsOut: minAmountsOut,
            userData: abi.encode(lpBal),
            toInternalBalance: false
        });
        tBal = ERC20(target).balanceOf(address(this));
        ptBal = ERC20(pt).balanceOf(address(this));

        balancerVault.exitPool(poolId, address(this), payable(address(this)), request);

        tBal = ERC20(target).balanceOf(address(this)) - tBal;
        ptBal = ERC20(pt).balanceOf(address(this)) - ptBal;
    }

Impact

Users who add liquidity to space will lose all their reward

Code Snippet

https://github.com/sherlock-audit/2023-03-sense/blob/main/sense-v1/pkg/core/src/Periphery.sol#L698-L745

Tool used

Manual Review

Recommendation

Transfer reward to users when remove liquidity