Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-05-AURA-FINDINGS-ISSUES-149
HistoryMay 21, 2022 - 12:00 a.m.

ConvexMasterChef: When _lpToken is duplicated, reward calculation is incorrect

2022-05-2100:00:00
Code4rena
github.com
6
JSON

Lines of code

Vulnerability details

Impact

Same as IDX-002 in <https://public-stg.inspex.co/report/Inspex_AUDIT2021024_LuckyLion_Farm_FullReport_v2.0.pdf&gt;
In the ConvexMasterChef contract, a new staking pool can be added using the add() function. The staking token for the new pool is defined using the _lpToken variable. However, there is no additional checking whether the _lpToken is already used in other pools or not.

    function add(
        uint256 _allocPoint,
        IERC20 _lpToken,
        IRewarder _rewarder,
        bool _withUpdate
    ) public onlyOwner {
        if (_withUpdate) {
            massUpdatePools();
        }
        uint256 lastRewardBlock = block.number &gt; startBlock
            ? block.number
            : startBlock;
        totalAllocPoint = totalAllocPoint.add(_allocPoint);
        poolInfo.push(
            PoolInfo({
                lpToken: _lpToken,
                allocPoint: _allocPoint,
                lastRewardBlock: lastRewardBlock,
                accCvxPerShare: 0,
                rewarder: _rewarder
            })
        );
    }

When the _lpToken is duplicated, reward calculation for that pool in the updatePool() function can be incorrect. This is because the current balance of the _lpToken in the contract is used in the calculation of the reward. Since the _lpToken is duplicated, lpSupply is counted from all pools using the same _lpToken, resulting in a higher value of lpSupply, causing the reward of that pool to be less than what it should be.

    function updatePool(uint256 _pid) public {
        PoolInfo storage pool = poolInfo[_pid];
        if (block.number &lt;= pool.lastRewardBlock) {
            return;
        }
        uint256 lpSupply = pool.lpToken.balanceOf(address(this));
        if (lpSupply == 0) {
            pool.lastRewardBlock = block.number;
            return;
        }
        uint256 multiplier = getMultiplier(pool.lastRewardBlock, block.number);
        uint256 cvxReward = multiplier
            .mul(rewardPerBlock)
            .mul(pool.allocPoint)
            .div(totalAllocPoint);
        //cvx.mint(address(this), cvxReward);
        pool.accCvxPerShare = pool.accCvxPerShare.add(
            cvxReward.mul(1e12).div(lpSupply)
        );
        pool.lastRewardBlock = block.number;
    }

#Proof of Concept
<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/ConvexMasterChef.sol#L186-L206&gt;

Tools Used

None

Recommended Mitigation Steps

Make sure _lpToken is not used in other pools in the add() function

The text was updated successfully, but these errors were encountered:

All reactions

JSON