Lines of code

Vulnerability details

The ConvexStakingWrapper._calcRewardIntegral function makes the d_reward = IERC20(reward.token).balanceOf(address(this)); - reward.remaining amount available for claiming.
Then it updates the reward.remaining value to the balance before the distribution.

RewardType memory reward = rewards[_pid][_index];

//get difference in balance and remaining rewards
//getReward is unguarded so we use remaining to keep track of how much was actually claimed
uint256 bal = IERC20(reward.token).balanceOf(address(this));
uint256 d_reward = bal - reward.remaining;

// ...
IERC20(reward.token).transfer(address(claimContract), d_reward);

// ...

//update remaining reward here since balance could have changed if claiming
if (bal != reward.remaining) {
    reward.remaining = uint128(bal);
}

rewards[_pid][_index] = reward;

It’s unclear what the reasoning is but it leads to delayed distributions and breaks withdrawals as uint256 d_reward = bal - reward.remaining; will underflow next time.

POC

• The first time _calcRewardIntegral is called, bal = IERC20(reward.token).balanceOf(address(this)) := INITIAL_BALANCE, d_reward = bal - 0 = INITIAL_BALANCE.
• The entire balance d_reward is transferred out of the contract
• reward.remaining = INITIAL_BALANCE is set.
• User tries to withdraw tokens. It calls _checkpoint(_pid, msg.sender) which calls _calcRewardIntegral() which computes d_reward = IERC20(reward.token).balanceOf(address(this)) - INITIAL_BALANCE which will most likely underflow now as the current balance is 0 and thus < reward.remaining = INITIAL_BALANCE.
• the transaction reverts, user cannot withdraw.

Recommended Mitigation Steps

Clarify how the reward.remaining variable is supposed to work and fix it.

The text was updated successfully, but these errors were encountered:

All reactions