Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-02-MALT-FINDINGS-ISSUES-35
HistoryFeb 20, 2023 - 12:00 a.m.

LinearDistributor.declareReward can revert due to dependency of balance

2023-02-2000:00:00
Code4rena
github.com
1
lineardistributor
declarereward
bufferrequirement
forfeited
collateraltoken
revert
vesting
mitigation
JSON

Lines of code
<https://github.com/code-423n4/2023-02-malt/blob/main/contracts/RewardSystem/LinearDistributor.sol#L185-L186&gt;
<https://github.com/code-423n4/2023-02-malt/blob/main/contracts/RewardSystem/LinearDistributor.sol#L123-L136&gt;

Vulnerability details

Impact

LinearDistributor.declareReward will revert and it can cause permanent DOS.

Proof of Concept

In LinearDistributor.declareReward, if the balance is greater than the bufferRequirement, the rest will be forfeited.

    if (balance &gt; bufferRequirement) {
      // We have more than the buffer required. Forfeit the rest
      uint256 net = balance - bufferRequirement;
      _forfeit(net);
    }

And in _forfeit, it requires forfeited (= balance - bufferRequirement) <= declaredBalance.

  function _forfeit(uint256 forfeited) internal {
    require(forfeited &lt;= declaredBalance, "Cannot forfeit more than declared");

So when an attacker sends some collateral tokens to LinearDistributor, the balance will be increased and it can cause revert in _forfeit and declareReward.

Since declareReward sends vested amount before _forfeit and the vested amount will be increased by time, so this DOS will be temporary.

    uint256 distributed = (linearBondedValue * netVest) / vestingBondedValue;
    uint256 balance = collateralToken.balanceOf(address(this));

    if (distributed &gt; balance) {
      distributed = balance;
    } 

    if (distributed &gt; 0) {
      // Send vested amount to liquidity mine
      collateralToken.safeTransfer(address(rewardMine), distributed);
      rewardMine.releaseReward(distributed);
    }

    balance = collateralToken.balanceOf(address(this));

But if the attacker increases the balance enough to cover all reward amount in vesting, declareReward will always revert and it can cause permanent DOS.

decrementRewards updates declaredBalance, but it only decreases declaredBalance, so it can’t mitigate the DOS.

Tools Used

Manual Review

Recommended Mitigation Steps

Track collateral token balance and add sweep logic for unused collateral tokens in LinearDistributor.

The text was updated successfully, but these errors were encountered:

All reactions

JSON