search

sherlock-audit / 2024-06-velocimeter-judging

11 stars 7 forks source link

hulkvision - Claimable gauge distributions are locked when killGaugeTotally and pauseGauge is called #630

Closed sherlock-admin4 closed 3 months ago

sherlock-admin4 commented 3 months ago

hulkvision

Medium

Claimable gauge distributions are locked when killGaugeTotally and pauseGauge is called

Summary

When a gauge is killed/paused, the claimable[_gauge] key value is cleared. Because any rewards received by the Voter contract are indexed and distributed in proportion to each pool's weight, this claimable amount is permanently locked within the contract

Vulnerability Detail

In Voter.sol

function pauseGauge(address _gauge) external {
        if (msg.sender != emergencyCouncil) {
            require(
                IGaugePlugin(gaugePlugin).checkGaugePauseAllowance(msg.sender, _gauge)
            , "Pause gauge not allowed");
        }
        require(isAlive[_gauge], "gauge already dead");
        isAlive[_gauge] = false;
@-->        claimable[_gauge] = 0; // value is set to zero
        address _pair = IGauge(_gauge).stake(); // TODO: add test cases
        try IPair(_pair).setHasGauge(false) {} catch {}
        emit GaugePaused(_gauge);
    }

function killGaugeTotally(address _gauge) external {
        if (msg.sender != emergencyCouncil) {
            require(
                IGaugePlugin(gaugePlugin).checkGaugeKillAllowance(msg.sender, _gauge)
            , "Restart gauge not allowed");
        }
        require(isAlive[_gauge], "gauge already dead");

        address _pool = poolForGauge[_gauge];

        delete isAlive[_gauge];
        delete external_bribes[_gauge];
        delete poolForGauge[_gauge];
        delete isGauge[_gauge];
 @-->       delete claimable[_gauge]; // value is cleared
        delete supplyIndex[_gauge];
        delete gauges[_pool];
        try IPair(_pool).setHasGauge(false) {} catch {}

        killedGauges.push(_gauge);

        emit GaugeKilledTotally(_gauge);
    }

When the gauge is paused or killed totally the claimable amount is permanently locked within the contract When

Impact

Code Snippet

https://github.com/sherlock-audit/2024-06-velocimeter/blob/63818925987a5115a80eff4bd12578146a844cfd/v4-contracts/contracts/Voter.sol#L380-L392 https://github.com/sherlock-audit/2024-06-velocimeter/blob/63818925987a5115a80eff4bd12578146a844cfd/v4-contracts/contracts/Voter.sol#L407-L429

Tool used

Manual Review

Recommendation

Consider returning the claimable amount to the Minter contract.

Duplicate of #107