Code4renaCODE423N4:2022-10-PALADIN-FINDINGS-ISSUES-144Pledge creator can extend pledge without paying in edge cases.
Vulnerability details
Impact
Pledge creator can extend pledge without paying in edge cases.
Proof of Concept
When pledge creators wants to extend their pledges, they must transfer an additional reward amount and fee:
uint256 totalRewardAmount = (pledgeParams.rewardPerVote * pledgeParams.votesDifference * addedDuration) / UNIT;
uint256 feeAmount = (totalRewardAmount * protocalFeeRatio) / MAX_PCT ;
However, since totalRewardAmount is calculated using integer division, totalRewardAmount (and feeAmount) could be 0 in edge cases
where pledgeParams.rewardPerVote * pledgeParams.votesDifference * addedDuration < UNIT.
The function then go ahead and transfer totalRewardAmount, feeAmount to WardenPledge contract and chestAddress and also increase pledge duration without checking if totalRewardAmount or feeAmount > 0:
if(totalRewardAmount > maxTotalRewardAmount) revert Errors.IncorrectMaxTotalRewardAmount();
if(feeAmount > maxFeeAmount) revert Errors.IncorrectMaxFeeAmount();
// Pull all the rewards in this contract
IERC20(pledgeParams.rewardToken).safeTransferFrom(creator, address(this), totalRewardAmount);
// And transfer the fees from the Pledge creator to the Chest contract
IERC20(pledgeParams.rewardToken).safeTransferFrom(creator, chestAddress, feeAmount);
// Update the Pledge parameters in storage
pledgeParams.endTimestamp = safe64(newEndTimestamp);
pledgeAvailableRewardAmounts[pledgeId] += totalRewardAmount;
Since many ERC20 tokens does not revert when user try to send 0 amount, this means user can extend their pledges without actually transferring
award amount and fee to the WardenPledge contract.
Tools Used
Manual review.
Recommended Mitigation Steps
I recommend before transferring reward amount and fee, do check to make sure totalRewardAmount and feeAmount > 0.
The text was updated successfully, but these errors were encountered:
All reactions