Skip to content
This repository has been archived by the owner on Dec 22, 2024. It is now read-only.

mstpr-brainbot - ERC20 transfers for stakeToken's is not updating the rewards process #271

Closed
sherlock-admin2 opened this issue Jun 20, 2024 · 0 comments
Closed

mstpr-brainbot - ERC20 transfers for stakeToken's is not updating the rewards process #271

sherlock-admin2 opened this issue Jun 20, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Jun 20, 2024
edited
Loading

mstpr-brainbot

High

ERC20 transfers for stakeToken's is not updating the rewards process

Summary

Since the stakeToken's are ERC20 the transfers of these tokens should also change the rewards since the ownership of the tokens will change after the transfer

Vulnerability Detail

As we can see, when an account mints new stake tokens, the fee rewards are updated:

function executeMintStakeToken(
        uint256 requestId,
        Mint.Request memory mintRequest
    ) external returns (uint256 stakeAmount) {
        -> FeeRewardsProcess.updateAccountFeeRewards(mintRequest.account, mintRequest.stakeToken);
       //..
    }

This is crucial to ensure fair accrual of rewards for the users.

However, there is another case where the account's fee rewards will change: when they simply transfer their tokens. All stake tokens are ERC20 tokens, and they have transfer functions that users can use.

Impact

Unfair accrual of rewards, high.

Code Snippet

https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/8a1a01804a7de7f73a04d794bf6b8104528681ad/elfi-perp-contracts/contracts/process/MintProcess.sol#L68-L91

https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/8a1a01804a7de7f73a04d794bf6b8104528681ad/elfi-perp-contracts/contracts/vault/StakeToken.sol#L7-L25

Tool used

Manual Review

Recommendation

Override the transfer hook in ERC20 and update the rewards whenever the tokens are transferred

Duplicate of #146
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jun 27, 2024
@sherlock-admin3 sherlock-admin3 added Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed labels Jul 3, 2024
@sherlock-admin2 sherlock-admin2 changed the title Active Punch Jellyfish - ERC20 transfers for stakeToken's is not updating the rewards process mstpr-brainbot - ERC20 transfers for stakeToken's is not updating the rewards process Jul 3, 2024
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Jul 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue Sponsor Disputed The sponsor disputed this issue's validity Won't Fix The sponsor confirmed this issue will not be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3