Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-07-TAPIOCA-FINDINGS-ISSUES-1663
HistoryAug 04, 2023 - 12:00 a.m.

ConvexTriCryptoStrategy might not compound all rewards

2023-08-0400:00:00
Code4rena
github.com
vulnerability
impact
proof of concept
claimzap
rewards
compound
mitigation
review
validate
token list
security
yield
loss
strategy

6.7 Medium

AI Score

Confidence

High

JSON

Lines of code

Vulnerability details

Impact

When compounding in ConvexTriCryptoStrategy, the number of tokens that is swapped into wETH does not account for extraRewards and tokenRewards. This can cause a loss of yield and rewards to be lost.

Proof of Concept

In ConvexTriCryptoStrategy._executeClaim function restricts the number of tokens to the number of rewardContracts that are claimed from:

require(
    tempData.rewardContracts.length == tempData.tokens.length,
    "ConvexTricryptoStrategy: claim data not valid"
);
...
zap.claimRewards(
    tempData.rewardContracts,
    tempData.extraRewardContracts,
    tempData.tokenRewardContracts,
    tempData.tokenRewardTokens,
    extrasTempData.depositCrvMaxAmount,
    extrasTempData.minAmountOut,
    extrasTempData.depositCvxMaxAmount,
    extrasTempData.spendCvxAmount,
    extrasTempData.options
);

for (uint256 i = 0; i < tempData.tokens.length; i++) {
    finalBalances[i] = balancesAfter[i] - balancesBefore[i];
}

//WARDEN: this data is used in compound to swap and compound
return (finalBalances, tempData.tokens);

The call to ClaimZap.claimRewards from Convex will also claim extraRewards and tokenRewards if passed as input and if the strategy is eligible to any of those:

    for(uint256 i = 0; i < extraRewardContracts.length; i++){
        IBasicRewards(extraRewardContracts[i]).getReward(msg.sender);
    }
    //claim from multi reward token contract
    for(uint256 i = 0; i < tokenRewardContracts.length; i++){
        IBasicRewards(tokenRewardContracts[i]).getReward(msg.sender,tokenRewardTokens[i]);
    }

These rewards are not considered in the return data of _executeClaim and hence also not handled in compound.

Tools Used

Manual Review

Recommended Mitigation Steps

Dont restrict the token number to the number of rewardContracts (since most BaseRewardPools pay in the same token CRV, this check does not seem to be correct to begin with). Validate the correctness of the token list differently if necessary.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

6.7 Medium

AI Score

Confidence

High

JSON