Lines of code

Vulnerability details

Impact

If deposits and withdraws are done frequently enough, the reward update operation they invoke will deal mostly with the case when there is nothing to add yet, i.e. reward.remaining match the reward token balance.

If reward token doesn’t allow for zero value transfers, the reward update function will fail on an empty incremental reward transfer, which is now done unconditionally, reverting the caller deposit/withdrawal functionality

Proof of Concept

When ConvexStakingWrapper isn’t paused, every deposit and withdraw update current rewards via _checkpoint function before proceeding:

<https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L233&gt;

<https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L260&gt;

_checkpoint calls _calcRewardIntegral for each of the reward tokens of the pid:

<https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L220&gt;

_calcRewardIntegral updates the incremental reward for the token, running the logic even if reward is zero, which is frequently the case:

<https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L182&gt;

If the reward token doesn’t allow zero value transfers, this transfer will fail, reverting the corresponding deposit or withdraw

Recommended Mitigation Steps

Consider checking the reward before doing transfer (and the related computations as an efficiency measure):

Now:

IERC20(reward.token).transfer(address(claimContract), d_reward);

To be:

if (d_reward > 0)
	IERC20(reward.token).transfer(address(claimContract), d_reward);

---

The text was updated successfully, but these errors were encountered:

All reactions