search

sherlock-audit / 2024-03-zivoe-judging

1 stars 0 forks source link

BoRonGod - DAO unable to withdraw their funds due to Convex admin action #657

Open sherlock-admin4 opened 2 months ago

sherlock-admin4 commented 2 months ago

BoRonGod

medium

DAO unable to withdraw their funds due to Convex admin action

Summary

Convex admin action can lead to the fund of Zivoe protocol and its users being stuck, resulting in DAO being unable to push/pull assets from convex_lockers.

Vulnerability Detail

Per the contest page, the admins of the protocols that Zivoe integrates with are considered "RESTRICTED". This means that any issue related to Convex‘s admin action that could negatively affect Zivoe protocol/users will be considered valid in this audit contest.

Q: Are the admins of the protocols your contracts integrate with (if any) TRUSTED or RESTRICTED?

RESTRICTED

In current BaseRewardPool.sol used by convex, admin can add infinite extraRewards:

function extraRewardsLength() external view returns (uint256) {
    return extraRewards.length;
}

function addExtraReward(address _reward) external returns(bool){
    require(msg.sender == rewardManager, "!authorized");
    require(_reward != address(0),"!reward setting");

    extraRewards.push(_reward);
    return true;
}

By setting a malicious token or add a lot of tokens, it is easy to completely forbid Zivoe DAO to pullFromLocker, since claimRewards() is forced to call:

function pullFromLocker(address asset, bytes calldata data) external override onlyOwner {
    require(asset == convexPoolToken, "OCY_Convex_C::pullFromLocker() asset != convexPoolToken");

    claimRewards(false);
    ...

Impact

The fund of Zivoe protocol and its users will be stuck, resulting in users being unable to withdraw their assets.

Code Snippet

https://github.com/convex-eth/platform/blob/main/contracts/contracts/BaseRewardPool.sol#L109

Tool used

Manual Review

Recommendation

Ensure that the protocol team and its users are aware of the risks of such an event and develop a contingency plan to manage it.

pseudonaut commented 2 months ago

I suppose valid, not of concern though

sherlock-admin4 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, while admins are restricted, they are still not supposed to harm their protocol, just do normal reasonable admin actions. Adding so many rewards tokens will definitely break their protocol for all users, so this is invalid assumption.

RealLTDingZhen commented 1 month ago

escalate

This is a valid medium per external admin is restricted and sponsor confirms this.

Please refer to https://github.com/sherlock-audit/2024-01-napier-judging/issues/95 and https://github.com/sherlock-audit/2024-01-napier-judging/issues/108

sherlock-admin3 commented 1 month ago

escalate

This is a valid medium per external admin is restricted and sponsor confirms this.

Please refer to https://github.com/sherlock-audit/2024-01-napier-judging/issues/95 and https://github.com/sherlock-audit/2024-01-napier-judging/issues/108

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

panprog commented 1 month ago

Even if this happens, there is nothing that can be done about it, so this is purely informational issue. It won't affect the other protocol functionality since this is just a separate locker with funds locked in it. I believe this is similar to USDC blacklisting protocol address, so such actions should be invalid as there is nothing that can be done to fix it.

WangSecurity commented 1 month ago

I agree with both the Lead Judge and escalating Watson, but according to README and external admins being restricted, these reports indeed should be valid. But, I believe the most fair option is to duplicate this report with other issues where external admin's actions are leading to a harm of Zivoe with Medium severity, due to extremely low likelihood.

The reports it will be duplicated with are #672, #692 and #697. Planning to accept the escalation and duplicate these reports.

Evert0x commented 1 month ago

Result: Medium Has Duplicates

sherlock-admin2 commented 1 month ago

Escalations have been resolved successfully!

Escalation status:

panprog commented 1 month ago

The following issues appear to be dups to this one according to the @WangSecurity criteria of "external admin's actions are leading to a harm of Zivoe": #130, #160, #249, #648, #662, #666, #667, #672, #677, #692, #697, #699, #701, #704