Potential lock of rewards in the custody contracts #71
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
Lines of code
https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/custody_beth/src/distribution.rs#L110-L115
https://github.com/code-423n4/2022-02-anchor/blob/main/contracts/money-market-contracts/contracts/custody_bluna/src/distribution.rs#L109-L114
Vulnerability details
Impact
The
swap_to_stable_denom
function in the custody contracts swaps all other native tokens into a specific one. The function creates swap messages for all the other native tokens and adds them as sub-messages, and handles the reply only when the last sub-message succeeds. Upon receiving the reply, the contract sends the swapped tokens (i.e., rewards) to the overseer contract.In cases where the last sub-message fails, the custody contract will not receive a reply, and therefore the rewards are left in the contract. The rewards are locked in the contract until someone triggers
swap_to_stable_denom
again, and the last swap succeeds. However, if the last swap consistently fails in some period for any reason, the total rewards will be locked in the contract during that period. As a result, users cannot get the rewards they are supposed to receive in that period.Proof of Concept
Referenced code:
custody_beth/src/distribution.rs#L110-L115
custody_bluna/src/distribution.rs#L109-L114
Recommended Mitigation Steps
Consider handling the reply on either success or failure, i.e., using
ReplyOn::Always
, to avoid the failure of the swap to cause tokens to be locked.The text was updated successfully, but these errors were encountered: