In the ERC20Incentive contract, the total value of deposited assets is determined by limit * reward in POOL mode and by reward in RAFFLE mode, which is set during initialization. With each subsequent balance change through a token transfer, the claims variable increases by 1. According to the README file, weird tokens should be supported by the protocol, and this category includes rebase tokens. It turns out that they do not work well in the described configuration.
Vulnerability Detail
} else {
// Ensure the amount is a multiple of the reward and reduce the max claims accordingly
if (amount % reward != 0) revert BoostError.ClaimFailed(msg.sender, abi.encode(claim_));
limit -= amount / reward;
}
The problem is that rebase tokens can change their balance without a transfer occurring in the contract. Therefore, the value recorded in limit * reward (and reward) at a given moment may not reflect the actual balance of the contract. If the value is less than the initial one, certain users will not be able to withdraw their rewards, and some amount may remain locked in the protocol. If the value is greater, the difference above the initial amount will remain locked in the contract and cannot be withdrawn, even by executing the clawback function, because the maximum value that can be withdrawn through it is the one initially defined in the way already described.
Impact
This results in a loss of funds for users and a lock of funds in the contract
ge6a
Medium
Issue with rebasing tokens in ERC20Incentive
Summary
In the ERC20Incentive contract, the total value of deposited assets is determined by limit * reward in POOL mode and by reward in RAFFLE mode, which is set during initialization. With each subsequent balance change through a token transfer, the claims variable increases by 1. According to the README file, weird tokens should be supported by the protocol, and this category includes rebase tokens. It turns out that they do not work well in the described configuration.
Vulnerability Detail
https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/78930f2ed6570f30e356b5529bd4bcbe5194eb8b/boost-protocol/packages/evm/contracts/incentives/ERC20Incentive.sol#L106-L110
The problem is that rebase tokens can change their balance without a transfer occurring in the contract. Therefore, the value recorded in limit * reward (and reward) at a given moment may not reflect the actual balance of the contract. If the value is less than the initial one, certain users will not be able to withdraw their rewards, and some amount may remain locked in the protocol. If the value is greater, the difference above the initial amount will remain locked in the contract and cannot be withdrawn, even by executing the clawback function, because the maximum value that can be withdrawn through it is the one initially defined in the way already described.
Impact
This results in a loss of funds for users and a lock of funds in the contract
Code Snippet
Tool used
Manual Review
Recommendation
Adjust the contract to work with rebasing tokens.