Lines of code

Vulnerability details

Impact

Remainder nft.unpaidRewards are lost and cannot be retrieved after LiquidityFarming.withdraw. I.e. it is not possible to extractRewards for unpaidRewards later if withdraw being called when balance wasn’t sufficient to fulfil the full withdraw of the rewards due, which is reasonably inconvenient to estimate for a user in advance

Proof of Concept

LiquidityFarming._sendRewardsForNft is being called by user facing withdraw and extractRewards functions.

There, when the balance isn’t sufficient for full rewards transfer to a user, the remainder is stored in unpaidRewards variable:

<https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L134-L160&gt;

If this happens during extractRewards call, it is possible to run reward gathering again later, when there is enough balance to retrieve unpaidRewards:

<https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L259&gt;

However, when reward token balance happened to be not sufficient during LiquidityFarming.withdraw, the unpaidRewards will be lost for the user as nftInfo structure required for reward gathering logic is unconditionally deleted:

<https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityFarming.sol#L244&gt;

Recommended Mitigation Steps

A way to enable the residual reward retrieval after the withdraw can be introduced to extractRewards -> _sendRewardsForNft logic.

For example, instead of deletion of the nftInfo structure, a flag can be set indicating that stake is no longer active, but remainder rewards are to be retrieved. When extractRewards is being called with this flag on, only nft.unpaidRewards retrieval is attempted

The text was updated successfully, but these errors were encountered:

All reactions