Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-11-REDACTEDCARTEL-FINDINGS-ISSUES-412
HistoryNov 28, 2022 - 12:00 a.m.

´userAccrue` rewards manipulation

2022-11-2800:00:00
Code4rena
github.com
5
flashloan
pirexrewards
pxgmxrewards
manipulation
vulnerability
mitigation
JSON

Lines of code
<https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/vaults/PxGmxReward.sol#L68-L84&gt;

Vulnerability details

Impact

A flashloan can be used to set a huge last balance which later will accrue a huge reward.

Proof of Concept

Buy lots of a rewards-producing token, possibly by means of a flashloan. Call PirexRewards.userAccrue() which sets u.lastBalance to this now very high value. Sell back the tokens and return rthe flashloan.
Next time PirexRewards.userAccrue() is called the reward will be very high.

function userAccrue(ERC20 producerToken, address user) public {
    if (address(producerToken) == address(0)) revert ZeroAddress();
    if (user == address(0)) revert ZeroAddress();

    UserState storage u = producerTokens[producerToken].userStates[user];
    uint256 balance = producerToken.balanceOf(user);

    // Calculate the amount of rewards accrued by the user up to this call
    uint256 rewards = u.rewards +
        u.lastBalance *
        (block.timestamp - u.lastUpdate);

    u.lastUpdate = block.timestamp.safeCastTo32();
    u.lastBalance = balance.safeCastTo224();
    u.rewards = rewards;

    emit UserAccrue(producerToken, user, block.timestamp, balance, rewards);
}

Similarly in PxGmxRewards._userAccrue()

Tools Used

Code inspection

Recommended Mitigation Steps

The text was updated successfully, but these errors were encountered:

All reactions

JSON