Lines of code

Vulnerability details

Impact

When the initial balance of a redemption reward token is smaller than the base, small amounts of the token will be rounded down to zero, meaning small-amount users will get nothing for redeeming tokens. Broken accounting means high severity

Proof of Concept

File: /contracts/shutdown/redeem/TribeRedeemer.sol   #1

53           for (uint256 i = 0; i < tokensReceived.length; i++) {
54               uint256 balance = IERC20(tokensReceived[i]).balanceOf(address(this));
55               require(balance != 0, "ZERO_BALANCE");
56               // @dev, this assumes all of tokensReceived and redeemedToken
57               // have the same number of decimals
58               uint256 redeemedAmount = (amountIn * balance) / base;
59               amountsOut[i] = redeemedAmount;
60:          }

<https://github.com/code-423n4/2022-09-tribe/blob/769b0586b4975270b669d7d1581aa5672d6999d5/contracts/shutdown/redeem/TribeRedeemer.sol#L53-L60&gt;

Ignoring the issue with the pro-rata formula that I flagged separately in another issue, assume that the following is the very first redemption where:

amountIn = 10,000; balance = 10; base = 1,000,000
redeemedAmount = (10000 * 10) / 1000000 = 0.1 = 0

If most users have <= 10,000, or break up their redemptions into portions less than that amount (e.g. balances in multiple protocols/dexes that are redeemed on a protocol-by-protocol basis), then most of the tokens will remain locked in the contract.

Note that there is no function that changes the base, and no hooks that do it either

Tools Used

Code inspection

Recommended Mitigation Steps

Assign every redemption reward token a separate base so that one wei of the redemption token is always worth at least one wei of the redemption reward token

The text was updated successfully, but these errors were encountered:

All reactions