Lines of code
<https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/PxGmxReward.sol#L68-L84>
A flashloan can be used to set a huge last balance which later will accrue a huge reward.
Buy lots of a rewards-producing token, possibly by means of a flashloan. Call PirexRewards.userAccrue() which sets u.lastBalance to this now very high value. Sell back the tokens and return rthe flashloan.
Next time PirexRewards.userAccrue() is called the reward will be very high.
function userAccrue(ERC20 producerToken, address user) public {
if (address(producerToken) == address(0)) revert ZeroAddress();
if (user == address(0)) revert ZeroAddress();
UserState storage u = producerTokens[producerToken].userStates[user];
uint256 balance = producerToken.balanceOf(user);
// Calculate the amount of rewards accrued by the user up to this call
uint256 rewards = u.rewards +
u.lastBalance *
(block.timestamp - u.lastUpdate);
u.lastUpdate = block.timestamp.safeCastTo32();
u.lastBalance = balance.safeCastTo224();
u.rewards = rewards;
emit UserAccrue(producerToken, user, block.timestamp, balance, rewards);
}
Similarly in PxGmxRewards._userAccrue()
Code inspection
The text was updated successfully, but these errors were encountered:
All reactions