In strategistBootyClaim() of BathPair there is no check that asset!=quote and strategist can claim one asset rewards two times #238
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathPair.sol#L588-L625
Vulnerability details
Impact
function
strategistBootyClaim()
is calculating and transferring strategist prize, but strategist can sendasset=quote
and claim one token prize two times as in code it getsstrategist2Fills
ofasset
andquote
in the beginning of function.Proof of Concept
This is
strategistBootyClaim()
code:As you can see it first save the values of
strategist2Fills[msg.sender][asset]
andstrategist2Fills[msg.sender][quote]
and then calculatedasset
andquote
prize for strategist and in the process set the values ofstrategist2Fills[msg.sender][asset]
andstrategist2Fills[msg.sender][quote]
. if strategist sendasset=quote
then code will reward strategist for that token two times becauseuint256 fillCountQ = strategist2Fills[msg.sender][quote];
is before calculating and updating states forasset
.Of course because of
strategist2Fills[msg.sender][quote] -= fillCountQ;
it may end with underflow error if contract usesSafeMath
correctly but the logic is wrong. the lineuint256 fillCountQ = strategist2Fills[msg.sender][quote];
should be moved after the firstif
.Tools Used
VIM
Recommended Mitigation Steps
change the logic to:
The text was updated successfully, but these errors were encountered: