Code4renaCODE423N4:2023-02-GOGOPOOL-MITIGATION-CONTEST-FINDINGS-ISSUES-46There is no way to retrieve the rewards from the MultisigManager and rewards are locked in the vault.
Vulnerability details
C4 issue
M-21: Division by zero error can block RewardsPool#startRewardCycle if all multisig wallet are disabled.
Comments
The protocol provides an external function startRewardsCycle() so that anyone can start a new reward cycle if necessary.
Before mitigation, there was an edge case where this function will revert due to division by zero.
Edge case: there is no multisigs enabled. (possible when Ocyticus.disableAllMultisigs(), Ocyticus.pauseEverything() is called)
Mitigation
PR #37
If no multisig is enabled, the mitigation sends the rewards to the MultisigManager and it makes sense.
But this created another issue. There is no way to retrieve the rewards back from the MultisigManager.
New issue
There is no way to retrieve the rewards from the MultisigManager and rewards are locked in the vault.
Impact
There is no way to retrieve the rewards from the MultisigManager and rewards are locked in the vault.
Proof of Concept
The rewards that were accrued in this specific edge case are locked in the MultisigManager.
It is understood that the funds are not lost and the protocol can be upgraded with a new MultisigManager contract with a proper function.
I evaluate the severity of the new issue as Medium because funds are locked in some specific edge cases and only withdrawable after contract upgrades.
Tools used
Manual Review
Recommended additional mitigation
Add a new external function in the MultisigManager with guardianOrSpecificRegisteredContract(βOcyticusβ, msg.sender) modifier and distribute the pending rewards to the active multisigs.
Conclusion
Mitigation error - created another issue for the same edge case.
The text was updated successfully, but these errors were encountered:
All reactions