amusingaxl
commented
1 month ago Please notice that the issue pointed was applicable to Version 1 of the report. The code was corrected then, however, as the repository evolved with newer requirements, so did our understanding of the ownership of the DssVestMintable contract. It is assumed now to be a fully set-up external contract.
Looking closely at the ChainSecurity Audit Report, you can check section 2.2.5 Changes in Version 3:
The rely() call was replaced by a check on wards() in a higher-level library:
We suggest closing this as a non-issue.
Audittens
Medium
NGT minting is not possible via DssVest
Summary
As stated in the README, rewards are going to be generated through a
DssVestMintable, therefore it should have access to mint NGT tokens. However, nongt.rely(vest)is being made in neither theVestInit, nor any other place in the scope.Vulnerability Detail
As was stated in the ChainSecurity's MakerDAO Endgame Toolkit audit, item 6.2 "Vest Minting Not Possible":
It's also stated in the audit that MakerDAO fixed the issue by adding the following line into the initialization script:
RelyLike(ngt).rely(vest);. In practice, it was not added, and the script still lacks this line.Impact
It is impossible for
VestedRewardsDistributionto get rewards sinceDssVestwon't be able to successfully execute the internalpayfunction. This leads to depositors ofstakingRewardsnot getting their expected profit, which can be considered as a corresponding loss of funds for them.Code Snippet
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/endgame-toolkit/script/dependencies/VestInit.sol#L31
Tool Used
Manual Review
Recommendation
Add
ngtas a parameter toVestInit.init, and addRelyLike(ngt).rely(vest);intoVestInit.init.