Open sherlock-admin opened 1 year ago
Escalate for 10 USDC
Convex docs are confirming this point
Convex allows liquidity providers to earn trading fees and claim boosted CRV without locking CRV themselves. Liquidity providers can receive boosted CRV and liquidity mining rewards with minimal effort:
Earn claimable CRV with a high boost without locking any CRV
Earn CVX rewards
Zero deposit and withdraw fees
Zero fees on extra incentive tokens (SNX, etc)
and WConvexPools.burn() handle this properly
so Convex SPELL should refund all the rewards
Escalate for 10 USDC
Convex docs are confirming this point
Convex allows liquidity providers to earn trading fees and claim boosted CRV without locking CRV themselves. Liquidity providers can receive boosted CRV and liquidity mining rewards with minimal effort: Earn claimable CRV with a high boost without locking any CRV Earn CVX rewards Zero deposit and withdraw fees Zero fees on extra incentive tokens (SNX, etc)
and WConvexPools.burn() handle this properly
so Convex SPELL should refund all the rewards
You've created a valid escalation for 10 USDC!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Senior watson's comment:
same as https://github.com/sherlock-audit/2023-05-blueberry-judging/issues/29
Escalation accepted
Valid high This issue is a valid high along with another duplicate #42
Escalation accepted
Valid high This issue is a valid high along with another duplicate #42
This issue's escalations have been accepted!
Contestants' payouts and scores will be updated according to the changes made on this issue.
Ch_301
high
attackers will keep stealing the
rewards
from Convex SPELLSummary
On WConvexPools.burn() transfer CRV + CVX + the extra rewards to Convex SPELL
Vulnerability Detail
But ConvexSpell.openPositionFarm() only refund CVX to the user. So the rest rewards will stay in the SPELL intel if someone (could be an attacker) invokes
_doRefund()
withinclosePositionFarm()
with the same address tokensImpact
Code Snippet
WConvexPools.burn()
transfer CRV + CVX + the extra rewards https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/wrapper/WConvexPools.sol#L201-L235only refund CVX to the user https://github.com/sherlock-audit/2023-04-blueberry/blob/main/blueberry-core/contracts/spell/ConvexSpell.sol#LL127C1-L138C10
Tool used
Manual Review
Recommendation
you should Refund all Rewards (CRV + CVX + the extra rewards)