search

sherlock-audit / 2024-05-beefy-cowcentrated-liquidity-manager-judging

5 stars 5 forks source link

no - Liquidity providers cannot receive the trading fee rewards they are entitled to #73

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 5 months ago

no

high

Liquidity providers cannot receive the trading fee rewards they are entitled to

Summary

Liquidity providers cannot receive the trading fee rewards they are entitled to

Vulnerability Detail

    function _harvest (address _callFeeRecipient) private {
        // Claim rewards from gauge
        _claimEarnings();

        // Charge fees for Beefy and send them to the appropriate addresses, charge fees to accrued state fee amounts.
        (uint256 feeLeft) = _chargeFees(_callFeeRecipient, fees);

        // Reset state fees to 0. 
        fees = 0;

        // Notify rewards with our velo. 
@>      IRewardPool(rewardPool).notifyRewardAmount(output, feeLeft, 1 days);

        // Log the last time we claimed fees. 
        lastHarvest = block.timestamp;

        // Log the fees post Beefy fees.
        emit Harvest(feeLeft);
    }

We can see that left fee rewards arg given to rewardPool. There are two scenarios below:

  1. The liquidity provider has not staked in the rewardPool and will not receive any rewards.
  2. Even if staked, since the rewardPool releases rewards linearly over a day, a portion of the rewards will always be inaccessible.

    poc for 2

Manual Review

Recommendation

Output tokens swap to lpToken0 and lpToken1

sherlock-admin4 commented 4 months ago

1 comment(s) were left on this issue during the judging contest.

DHTNS commented:

Invalid -> no trading fees on velo if u stake in guage all of it goes to veVELO holders