search

sherlock-audit / 2024-06-velocimeter-judging

11 stars 7 forks source link

sonny2k - RewardDistributorV2 claims can be DoSed through excess amount of userPoint creation #583

Closed sherlock-admin2 closed 3 months ago

sherlock-admin2 commented 3 months ago

sonny2k

Medium

RewardDistributorV2 claims can be DoSed through excess amount of userPoint creation

Summary

A malicious user can DoS (permanently lock) ve token owner's claims, by creating certain amount of user_point_history entries by calling VotingEscrow.deposit_for() on a target token multiple times.

Vulnerability Details

RewardsDistributorV2 claims are calculated in the _claimable() function. The calculation first involves finding the last user_point which was taken before the last week_cursor. This is done through a for loop that cycles from the last user_epoch until it finds one. The loop can cycle up to 50 times:

for (uint i = 0; i < 50; i++) {

hence if there are more userPoints than 50 the _claimable() function will return 0 as toDistribute.

A malicious user can call the VotingEscrow.depositFor() on the attacked veALCX token multiple times and can deposit minimum amount tokens (1 wei is enough), this way he can create the userPoints that will DoS the function.

Impact

ve token holder loses irreversibly all claims.

Code Snippet

https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/RewardsDistributorV2.sol#L252

Tool used

Manual Review

Recommendation

The solution would be to use binary search like in other places in the system.

References

This report is inspired by the report from Immunefi Alchemix Boost #31399

Duplicate of #330