M-21: Division by zero error can block RewardsPool#startRewardCycle if all multisig wallet are disabled.
The protocol provides an external function startRewardsCycle() so that anyone can start a new reward cycle if necessary.
Before mitigation, there was an edge case where this function will revert due to division by zero.
Edge case: there is no multisigs enabled. (possible when Ocyticus.disableAllMultisigs(), Ocyticus.pauseEverything() is called)
PR #37
If no multisig is enabled, the mitigation sends the rewards to the MultisigManager and it makes sense.
But this created another issue. There is no way to retrieve the rewards back from the MultisigManager.
There is no way to retrieve the rewards from the MultisigManager and rewards are locked in the vault.
There is no way to retrieve the rewards from the MultisigManager and rewards are locked in the vault.
The rewards that were accrued in this specific edge case are locked in the MultisigManager.
It is understood that the funds are not lost and the protocol can be upgraded with a new MultisigManager contract with a proper function.
I evaluate the severity of the new issue as Medium because funds are locked in some specific edge cases and only withdrawable after contract upgrades.
Manual Review
Add a new external function in the MultisigManager with guardianOrSpecificRegisteredContract(βOcyticusβ, msg.sender) modifier and distribute the pending rewards to the active multisigs.
Mitigation error - created another issue for the same edge case.
The text was updated successfully, but these errors were encountered:
All reactions