Protocol Fails to Handle Rebasing Tokens, Leading to Potential Reward Losses for users
Summary
The protocol claims to support all tokens, including unusual ones, but fails to handle rebasing tokens, which can lead to reward distribution issues.
Vulnerability Detail
Readme states that all the tokens are supported including the weird tokens
Rebasing tokens are not supported by the protocol.
In the ERC20Incentive contract, there are two reward methods: pool and raffle. When distributing rewards in a pool incentive contract, the protocol takes a fixed amount calculated based on the limit and reward per address from the budget. However, for rebasing tokens, if the total supply decreases, the contract’s balance will also decrease, resulting in insufficient tokens for reward distribution and causing some participants to lose rewards.
Impact
Participants could lose their rewards due to insufficient token supply after a rebase.
Atharv
High
Protocol Fails to Handle Rebasing Tokens, Leading to Potential Reward Losses for users
Summary
The protocol claims to support all tokens, including unusual ones, but fails to handle rebasing tokens, which can lead to reward distribution issues.
Vulnerability Detail
Readme states that all the tokens are supported including the weird tokens
Rebasing tokens are not supported by the protocol.
In the ERC20Incentive contract, there are two reward methods: pool and raffle. When distributing rewards in a pool incentive contract, the protocol takes a fixed amount calculated based on the limit and reward per address from the budget. However, for rebasing tokens, if the total supply decreases, the contract’s balance will also decrease, resulting in insufficient tokens for reward distribution and causing some participants to lose rewards.
Impact
Participants could lose their rewards due to insufficient token supply after a rebase.
Code Snippet
https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/incentives/ERC20Incentive.sol#L76-L95
https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L266-L291
Tool used
Manual Review
Recommendation
Implement proper handling of rebasing tokens to ensure the contract adjusts balances dynamically during reward distribution.