Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-05-AURA-FINDINGS-ISSUES-288
HistoryMay 25, 2022 - 12:00 a.m.

No rewards will be queued for users at intervals

2022-05-2500:00:00
Code4rena
github.com
6
JSON

Lines of code
<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L840&gt;

Vulnerability details

Impact

The 20% penalty that is taken from users who claim their rewards but choose not to stake in the AuraLocker is sent to the penaltyForwarder. Thereafter, it gets distributed to the locker to be queued but the issue in AuraLocker.queueNewRewards() is that the value for queuedCvxCrvRewards will be incorrectly stored. _notifyReward() is called based prior to this value being assigned. The instances are highlighted below :

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L829&gt;

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L840&gt;

In the first snippet, the block.timestamp will be greater than the rdata.periodFinish because it is first set in addReward() and will be less than or equal to whatever the timestamp is when it’s first called :

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L200&gt;

After the first ever call to queueRewards(), the rdata.periodFinish will be modified to a period in the future :

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L872&gt;

The rdata.periodFinish will now be set to a date in the future but the value for queuedRatio will always be skewed because elapsed will always return zero (queuedRatio always being < rewardRatio) there will be no queuedCvxCrvRewards for the user :

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L836&gt;

For the above mentioned code, the rewardsDuration should not be subtracted from the periodFinish as it will return the exact time as the current block.timestamp.

The same applies to :

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L336&gt;

Also :

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/VirtualBalanceRewardPool.sol#L224&gt;

PS. I noticed there was an issue with AuraLocker._notifyReward() and baseRewardPool.notifyRewardAmount(), the leftover is added to the crv rewards that are queued :

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/convex-platform/contracts/contracts/BaseRewardPool.sol#L361&gt;

but is not done for :

<https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraLocker.sol#L867&gt;

This leftover value is only used to calculate the rewardRate and is not used to store the currentRewards similar to baseRewardPool. Hence, no allocation of current crv rewards is recorded.

Recommended Mitigation Steps

For first issue :
Additionally, change variable names for the other contracts that have a similar issue as mentioned above

uint256 elapsed =rdata.periodFinish - block.timestamp ;

Second issue :

add leftover to the reward being notified and store it in a state variable akin to BaseRewardPool and use a state variable to cache the reward plus leftover.

The text was updated successfully, but these errors were encountered:

All reactions

JSON