Skip to content
This repository has been archived by the owner on Nov 5, 2023. It is now read-only.

0x52 - rewardTokens removed from WAuraPool/WConvexPools will be lost forever #128

Open
sherlock-admin opened this issue Apr 30, 2023 · 2 comments
Open

0x52 - rewardTokens removed from WAuraPool/WConvexPools will be lost forever #128

sherlock-admin opened this issue Apr 30, 2023 · 2 comments
Labels
Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

0x52

high

rewardTokens removed from WAuraPool/WConvexPools will be lost forever

Summary

pendingRewards pulls a fresh count of reward tokens each time it is called. This is problematic if reward tokens are ever removed from the the underlying Aura/Convex pools because it means that they will no longer be distributed and will be locked in the contract forever.

Vulnerability Detail

WAuraPools.sol#L166-L189

    uint extraRewardsCount = IAuraRewarder(crvRewarder)
        .extraRewardsLength();
    tokens = new address[](extraRewardsCount + 1);
    rewards = new uint256[](extraRewardsCount + 1);

    tokens[0] = IAuraRewarder(crvRewarder).rewardToken();
    rewards[0] = _getPendingReward(
        stCrvPerShare,
        crvRewarder,
        amount,
        lpDecimals
    );

    for (uint i = 0; i < extraRewardsCount; i++) {
        address rewarder = IAuraRewarder(crvRewarder).extraRewards(i);
        uint256 stRewardPerShare = accExtPerShare[tokenId][i];
        tokens[i + 1] = IAuraRewarder(rewarder).rewardToken();
        rewards[i + 1] = _getPendingReward(
            stRewardPerShare,
            rewarder,
            amount,
            lpDecimals
        );
    }

In the lines above we can see that only tokens that are currently available on the pool. This means that if tokens are removed then they are no longer claimable and will be lost to those entitled to shares.

Impact

Users will lose reward tokens if they are removed

Code Snippet

WAuraPools.sol#L152-L190

Tool used

Manual Review

Recommendation

Reward tokens should be stored with the tokenID so that it can still be paid out even if it the extra rewardToken is removed.
@github-actions github-actions bot added the Medium A valid Medium severity issue label May 3, 2023
@Gornutz Gornutz added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels May 10, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label May 20, 2023
@IAm0x52 IAm0x52 mentioned this issue May 27, 2023
Closed
@Gornutz
Copy link

Gornutz commented Jun 12, 2023

Blueberryfi/blueberry-core@f57a1db

@IAm0x52
Copy link
Collaborator

IAm0x52 commented Jun 16, 2023

Fix uses incorrect index for accExtPerShareusing. Using i in accExtPerShare is incorrect and should instead use extrawRewardsIdx[rewarder]. If a reward is removed it will cause the order of the indexes to change and accExtPerShare can return an incorrect value, sending the user an incorrect amount of the asset or causing the entire call to revert.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Gornutz @sherlock-admin @IAm0x52