Open sherlock-admin4 opened 2 months ago
I suppose valid, not of concern though
1 comment(s) were left on this issue during the judging contest.
panprog commented:
invalid, while admins are restricted, they are still not supposed to harm their protocol, just do normal reasonable admin actions. Adding so many rewards tokens will definitely break their protocol for all users, so this is invalid assumption.
escalate
This is a valid medium per external admin is restricted and sponsor confirms this.
Please refer to https://github.com/sherlock-audit/2024-01-napier-judging/issues/95 and https://github.com/sherlock-audit/2024-01-napier-judging/issues/108
escalate
This is a valid medium per external admin is restricted and sponsor confirms this.
Please refer to https://github.com/sherlock-audit/2024-01-napier-judging/issues/95 and https://github.com/sherlock-audit/2024-01-napier-judging/issues/108
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Even if this happens, there is nothing that can be done about it, so this is purely informational issue. It won't affect the other protocol functionality since this is just a separate locker with funds locked in it. I believe this is similar to USDC blacklisting protocol address, so such actions should be invalid as there is nothing that can be done to fix it.
I agree with both the Lead Judge and escalating Watson, but according to README and external admins being restricted, these reports indeed should be valid. But, I believe the most fair option is to duplicate this report with other issues where external admin's actions are leading to a harm of Zivoe with Medium severity, due to extremely low likelihood.
The reports it will be duplicated with are #672, #692 and #697. Planning to accept the escalation and duplicate these reports.
Result: Medium Has Duplicates
The following issues appear to be dups to this one according to the @WangSecurity criteria of "external admin's actions are leading to a harm of Zivoe": #130, #160, #249, #648, #662, #666, #667, #672, #677, #692, #697, #699, #701, #704
BoRonGod
medium
DAO unable to withdraw their funds due to Convex admin action
Summary
Convex admin action can lead to the fund of Zivoe protocol and its users being stuck, resulting in DAO being unable to push/pull assets from convex_lockers.
Vulnerability Detail
Per the contest page, the admins of the protocols that Zivoe integrates with are considered "RESTRICTED". This means that any issue related to Convex‘s admin action that could negatively affect Zivoe protocol/users will be considered valid in this audit contest.
In current
BaseRewardPool.sol
used by convex, admin can add infiniteextraRewards
:By setting a malicious token or add a lot of tokens, it is easy to completely forbid Zivoe DAO to
pullFromLocker
, since claimRewards() is forced to call:Impact
The fund of Zivoe protocol and its users will be stuck, resulting in users being unable to withdraw their assets.
Code Snippet
https://github.com/convex-eth/platform/blob/main/contracts/contracts/BaseRewardPool.sol#L109
Tool used
Manual Review
Recommendation
Ensure that the protocol team and its users are aware of the risks of such an event and develop a contingency plan to manage it.