Closed sherlock-admin2 closed 1 month ago
Please notice that the issue pointed was applicable to Version 1 of the report. The code was corrected then, however, as the repository evolved with newer requirements, so did our understanding of the ownership of the DssVestMintable
contract. It is assumed now to be a fully set-up external contract.
Looking closely at the ChainSecurity Audit Report, you can check section 2.2.5 Changes in Version 3:
The rely()
call was replaced by a check on wards()
in a higher-level library:
We suggest closing this as a non-issue.
Audittens
Medium
NGT minting is not possible via DssVest
Summary
As stated in the README, rewards are going to be generated through a
DssVestMintable
, therefore it should have access to mint NGT tokens. However, nongt.rely(vest)
is being made in neither theVestInit
, nor any other place in the scope.Vulnerability Detail
As was stated in the ChainSecurity's MakerDAO Endgame Toolkit audit, item 6.2 "Vest Minting Not Possible":
It's also stated in the audit that MakerDAO fixed the issue by adding the following line into the initialization script:
RelyLike(ngt).rely(vest);
. In practice, it was not added, and the script still lacks this line.Impact
It is impossible for
VestedRewardsDistribution
to get rewards sinceDssVest
won't be able to successfully execute the internalpay
function. This leads to depositors ofstakingRewards
not getting their expected profit, which can be considered as a corresponding loss of funds for them.Code Snippet
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/endgame-toolkit/script/dependencies/VestInit.sol#L31
Tool Used
Manual Review
Recommendation
Add
ngt
as a parameter toVestInit.init
, and addRelyLike(ngt).rely(vest);
intoVestInit.init
.