Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-02-CONCUR-FINDINGS-ISSUES-176
HistoryFeb 09, 2022 - 12:00 a.m.

Same reward token in pools can break accounting

2022-02-0900:00:00
Code4rena
github.com
5
JSON

Lines of code

Vulnerability details

The ConvexStakingWrapper contract uses several reward pool tokens rewards[_pid][_index].token and it can be that the same token is used for different _pids.
Indeed, the CVX/CRV tokens are always at index 0 and 1.

The rewards will be distributed to the first pool id (_pid) calling checkpoint() -> _calcRewardIntegral().
The other pools don’t receive any rewards.

function _calcRewardIntegral(
    uint256 _pid,
    uint256 _index,
    address _account,
    uint256 _balance,
    uint256 _supply
) internal {
    RewardType memory reward = rewards[_pid][_index];

    // @audit first pid to call this receives the current reward token balance
    uint256 bal = IERC20(reward.token).balanceOf(address(this));
    // ...

    uint256 d_reward = bal - reward.remaining;
    IERC20(reward.token).transfer(address(claimContract), d_reward);

    // ...
}

Recommended Mitigation Steps

If several pools use the same reward token, it should be distributed fairly among these pools, similar to the allocation points in a MasterChef contract.

The text was updated successfully, but these errors were encountered:

All reactions

JSON