search

sherlock-audit / 2023-04-ajna-judging

4 stars 3 forks source link

ctf_sec - Lose of unclaimed rewards in case a bucket goes bankrupt #39

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

ctf_sec

high

Lose of unclaimed rewards in case a bucket goes bankrupt

Summary

Lose of unclaimed rewards in case a bucket goes bankrupt

Vulnerability Detail

When the lender calls PositionManager.memorializePositions method

https://github.com/sherlock-audit/2023-04-ajna/blob/e2439305cc093204a0d927aac19d898f4a0edb3d/ajna-core/src/PositionManager.sol#L236

if the bucket goes bucket, the lps is zero out

// check for previous deposits
    if (position.depositTime != 0) {
        // check that bucket didn't go bankrupt after prior memorialization
        if (_bucketBankruptAfterDeposit(pool, index, position.depositTime)) {
            // if bucket did go bankrupt, zero out the LP tracked by position manager
            position.lps = 0;
        }
    }

However, the lender could still have unclaimed rewards. In this case, the lender loses the rewards due to the lack of claiming rewards before zeroing out the previous tracked LP balance.

In RewardsManager, claimRewards there is no a check for bucket's bankruptcy.

Impact

Lose of unclaimed rewards in case a bucket goes bankrupt

Code Snippet

https://github.com/sherlock-audit/2023-04-ajna/blob/e2439305cc093204a0d927aac19d898f4a0edb3d/ajna-core/src/PositionManager.sol#L236

Tool used

Manual Review

Recommendation

check and transfer unclaimed reward or at least record the unclaimed reward before calling

// if bucket did go bankrupt, zero out the LP tracked by position manager
            position.lps = 0;

to avoid loss of reward

Duplicate of #100