sherlock-admin
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Invalid. From the Readme we see that the only rebasing token to be used is stETH
crypticdefense
medium
Rebasing tokens go to the fee recipient
Summary
Rebasing tokens are tokens that change in value over time (go up or down). In the case it increases, it allows for the possibility of excess tokens in the pool. Excess tokens solely go to the fee recipient, rather than the holder.
Vulnerability Detail
In
NapierPool.sol, when a new pool is created, the fee recipient is initialized on construction of the contract. The protocol does not explain who exactly the fee recipient is, but it is likely the owner of the pool.Rebasing tokens can increase over time, which can cause excess tokens in the pool. The
NapierPool.solcontract manages this by including askimfunction, which sweeps the excess tokens to the fee recipient. However, in this case, the excess tokens belong to the user who deposited them.Impact
Users who deposit rebasing tokens will not get back all rewards earned.
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierPool.sol#L82-L83
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierPool.sol#L107-L140
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/NapierPool.sol#L519-L534
Tool used
Manual Review
Recommendation
Ensure the fee recipient repays any associated taxes with extra rebase tokens or inform your users not to use such tokens if they don't want to lose them.