_distributeRewards
Does Not Reset Approval If Not All Tokens Were Allocated
#229
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
leastwood
Vulnerability details
Impact
_distributeRewards
attempts to reward LP token holders when the price of Malt exceeds its price target. Malt Finance is able to being Malt back to its peg by selling Malt and distributing rewards tokens to LP token holders. An external call toAuction
is made via theallocateArbRewards
function. Prior to this call, theStabilizerNode
approves the contract for a fixed amount of tokens, however, theallocateArbRewards
function does not necessarily utilise this entire amount. Hence, dust token approval amounts may accrue from within theStabilizerNode
contract.Proof of Concept
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/StabilizerNode.sol#L252-L253
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/Auction.sol#L809-L871
Tools Used
Manual code review
Recommended Mitigation Steps
Consider resetting the approval amount if the input
rewarded
amount toallocateArbRewards
is less than the output amount.The text was updated successfully, but these errors were encountered: