Lines of code

Vulnerability details

Impact

Users are charged the penalty due to admin actions, and they have no way to avoid it

Proof of Concept

When claiming their rewards, users are charged a penalty if they take the reward directly, rather than by passing it into the auraLocker. Those are the only two options:

File: contracts/AuraBalRewardPool.sol   #1

176       function getReward(bool _lock) public updateReward(msg.sender) returns (bool) {
177           uint256 reward = rewards[msg.sender];
178           if (reward > 0) {
179               rewards[msg.sender] = 0;
180               if (_lock) {
181                   auraLocker.lock(msg.sender, reward);
182               } else {
183                   uint256 penalty = (reward * 2) / 10;
184                   pendingPenalty += penalty;
185                   rewardToken.safeTransfer(msg.sender, reward - penalty);
186               }

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L176-L186&gt;

If the pool has been shut down, the auraLocker.lock() call will always revert, which means the user must take the penalty path:

File: contracts/AuraLocker.sol   #2

258       function _lock(address _account, uint256 _amount) internal {
259           require(_amount > 0, "Cannot stake 0");
260           require(!isShutdown, "shutdown");

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L258-L260&gt;

Tools Used

Code inspection

Recommended Mitigation Steps

Don’t charge the penalty if the locker has been shut down

The text was updated successfully, but these errors were encountered:

All reactions