Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-12-GOGOPOOL-FINDINGS-ISSUES-757
HistoryJan 03, 2023 - 12:00 a.m.

PROTOCOL MIGHT NOT BE ABLE TO OPERATE DUE TO LACK OF FUNDS

2023-01-0300:00:00
Code4rena
github.com
7
protocol
redeem/withdrawal
funds
insolvent
users
mitigation
JSON

Lines of code
<https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/tokens/TokenggAVAX.sol#L191&gt;

Vulnerability details

Impact

Redeem/withdraw functionality will fail under certain conditions and users who want to redeem/withdraw their AVAX will not be able to.

Proof of Concept

Users stake their AVAX and in return get ggAVAX. The AVAX provided by the users is then staked by the MiniPoolManager for a minimum period of 14 days. The problem arises because tokenggAVAX allows any user holding ggAVAX to burn them for their staked AVAX even during a staking period/reward cycle. Assuming 1010 AVAX were supplied by 1010 users(1:1) and 1000 AVAX(minimum amount) were sent to MiniPoolManager to be staked. Now we have 10 AVAX left in tokenggAVAX. This means if 20 users decided to withdraw/redeem their ggAVAX for AVAX, tokenggAVAX would become insolvent and users would not be able to redeem/withdraw.

Tools Used

Manual

Recommended Mitigation Steps

Add a user-specified time lock during deposits for withdrawing funds unique to every user. This reduces the chances of multiple users wanting to redeem/withdraw at the same time.

The text was updated successfully, but these errors were encountered:

All reactions

JSON