search

sherlock-audit / 2023-07-blueberry-judging

2 stars 1 forks source link

Oxhunter526 - Users will not receive their accrued rewards when they choose to close their positions from the `AuraSpell` contract #50

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

Oxhunter526

medium

Users will not receive their accrued rewards when they choose to close their positions from the AuraSpell contract

Summary

The closePositionFarm function in the provided contract lacks a mechanism for distributing rewards to users when they close their positions. Unlike the openPositionFarm function, which includes a rewards distribution mechanism for users opening positions, the absence of such a mechanism in the closePositionFarm function can result in users not receiving their accrued rewards upon closing their positions.

Vulnerability Detail

The closePositionFarm function is responsible for closing positions in the Aura protocol. However, it does not include a rewards distribution mechanism that compensates users for their participation in the protocol. While the function performs important actions such as burning wrapped tokens, repaying debts, and managing collateral, the crucial step of distributing rewards to users is missing.

function closePositionFarm(
    ClosePosParam calldata param,
    uint256[] calldata expectedRewards,
    bytes[] calldata swapDatas
)
external
existingStrategy(param.strategyId)
existingCollateral(param.strategyId, param.collToken)
{
    // ... Other steps ...

    // No explicit rewards distribution mechanism present
}

Impact

Users who have earned rewards by participating in the Aura protocol will not receive their accrued rewards when they choose to close their positions.

Code Snippet

(https://github.com/sherlock-audit/2023-07-blueberry/blob/main/blueberry-core/contracts/spell/AuraSpell.sol#L184-L286)

Tool used

Manual Review

Recommendation

Implement a rewards distribution mechanism within the closePositionFarm function making it essential to ensure that users receive their earned rewards when closing their positions.

sherlock-admin2 commented 1 year ago

3 comment(s) were left on this issue during the judging contest.

0xyPhilic commented:

invalid because reward tokens are also accounted for at line 205 and swapped for debt token and included in the final amount sent to owner

darkart commented:

Invalid

Kral01 commented:

there is a distribution mechanism