Lines of code

Vulnerability details

Original Issue

• M-05: Reward sandwiching in VotiumStrategy

Details

• The issue outlined above is about making instant profit by depositing before the boost happens and withdrawing right after the boost occurs. Those who locked their positions for 16+ weeks get the same profit as those who didn’t, which could decentivize users to lock their liquidity.

Mitigation

• The fix proposed was to increase the min epoch wait to prevent instant withdrawals.

• Mitigated in the following PR.

Conclusion

• LGTM, but would like to raise the following question:
  • Imagine the following:
    • lockedBalances[0].amount - cvxUnlockObligations == x, x > 0,
    • applyRewards() is about to be invoked nearly at lockedBalances[0].unlockTime - currentEpochStartingTime == 1 epoch - delta, (i.e. nearly close to the time, when lockedBalances[0] is available for finalization)
• Seeing this, Bob could provide s amount of ETH, so that P(s) == x, where P(s) - amount of CVX per s amount of eth provided right before applyRewards() being invoked. After the boost, he is able to withdraw his deposit with an additional boost after waiting delta amount of time, which is significantly less than 1 epoch.

Recommended Mitigation Steps:

• Short term: I’m a little bit suspicious about it, but anyways, does it requires the min amount of wait time, which 1 epoch being applied in case if totalLockedBalancePlusUnlockable < cvxUnlockObligations, when requesting withdrawal?

Assessed type

Context

The text was updated successfully, but these errors were encountered:

All reactions