Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate LP token could lead to incorrect deposits #11

Open
code423n4 opened this issue May 27, 2022 · 2 comments
Open

Duplicate LP token could lead to incorrect deposits #11

code423n4 opened this issue May 27, 2022 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-vetoken/blob/main/contracts/Booster.sol#L256

Vulnerability details

Impact

It was observed that addPool function is not checking for duplicate lpToken which allows 2 or more pools to have exact same lpToken. This can cause issue with deposits.

In case of duplicate lpToken, the first pool calling depositAll will take away all lpToken and deposit them under there own pid. This leaves no balance for 2nd pool

Proof of Concept

  1. PoolManager call addPool function and uses lpToken as A
  2. PoolManager again call addPool function and mistakenly provides lpToken as A
  3. Now 2 pools will be created with lpToken as A
  4. depositAll function is called passing first pool.
  5. This takes all balance of lpToken A and depsoit it under first pool pid
  6. This mean no balance is left for second pool now

Recommended Mitigation Steps

Add a global variable keeping track of all lpToken added for pool. In case of duplicate lpToken addPool function should fail.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 27, 2022
code423n4 added a commit that referenced this issue May 27, 2022
@code423n4
csanuragjain issue #11
83b5954
@jetbrain10 jetbrain10 added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jun 15, 2022
@jetbrain10
Copy link
Collaborator

there is already a validation not allow to add duplicated gauges, pool manager contract, add pool function , but we have to add also a validation for lp token like gauges

@solvetony solvetony mentioned this issue Jun 15, 2022
Closed
@GalloDaSballo
Copy link
Collaborator

The warden has shown how, due to a lack of validation, the assumption that each lpToken is used only on one pool can be broken.
This will cause accounting issues.

For those reasons, I agree with Medium Severity

@GalloDaSballo GalloDaSballo mentioned this issue Jul 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @jetbrain10 @code423n4