Lines of code

Vulnerability details

Impact

Users can get rewards that should only have gone to users that locked for the full duration, effectively stealing from those other users

Proof of Concept

This is the relevant logic from lock() that determines the time at which the funds are unlocked:

File: contracts/AuraLocker.sol   #1

275           uint256 currentEpoch = block.timestamp.div(rewardsDuration).mul(rewardsDuration);
276           uint256 unlockTime = currentEpoch.add(lockDuration);

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L275-L276&gt;

Consider the following scenario:

lock dur    :  5
rewards dur :  3
timestamp   :  0-----1-----2-----3-----4-----5-----6-----7-----8-----9-----10
epoch       :  0000000000000000001111111111111111112222222222222222223333333
lock/unlock :  U-----------L-----------------X-----------------------------|

lock(t2) should be locked until at least t7 (but really, until t8) to have been locked for the lock duration of 5, but 2/3*0+5 = 5, so it’s only locked for 3.
This means all users locking during an epoch, but not exactly at the end of an epoch, are stealing rewards from all users coming before them in the epoch.
This especially is a disincentive for users to re-lock, if they can just withdraw and get some extra time being unlocked before locking again
Convex fixed this when they upgraded to the v2 locker: <https://github.com/convex-eth/platform/blob/1f11027d429e454dacc4c959502687eaeffdb74a/contracts/contracts/CvxLockerV2.sol#L23-L26&gt; where re-locking happens in the current epoch, and withdrawing and depositing later forces the user into to the next epoch

Tools Used

Code inspection

Recommended Mitigation Steps

Lock into the next epoch like convex does, except if re-locking

The text was updated successfully, but these errors were encountered:

All reactions