GiantMevAndFeesPool and StakingFundsVault: Miscalculation of rewards when transferring tokens leads to loss of rewards #206
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-178
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantMevAndFeesPool.sol#L146
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantMevAndFeesPool.sol#L170
https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/StakingFundsVault.sol#L343
Vulnerability details
Impact
This issue exists in
GiantMevAndFeesPool
as well as inStakingFundsVault
.From here on I will explain the issue based on the
GiantMevAndFeesPool
but the explanation can be transferred easily to theStakingFundsVault
.The holders of a
GiantMevAndFeesPool
sGiantLP
tokens receive a share of the staking rewards.In order to handle the rewards correctly in case the tokens are transferred, the
GiantMevAndFeesPool
implements thebeforeTokenTransfer
(https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantMevAndFeesPool.sol#L146) andafterTokenTransfer
(https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/GiantMevAndFeesPool.sol#L170) functions.The
beforeTokenTransfer
function sends all pending rewards to the sender and receiver of the token transfer.The
afterTokenTransfer
functions updates the amount of claimed rewards for the receiver of the token transfer. This is done to disallow the receiver to claim rewards for tokens that the sender has already claimed rewards for.The problem is that the claimed rewards for the sender are not adapted in the
afterTokenTransfer
.The claimed rewards for the sender should be lowered to reflect the sender's now lower balance.
This causes the sender to miss out on future rewards (-> loss of funds).
Proof of Concept
Consider the following scenario:
beforeTokenTransfer
is called and rewards for Alice and Bob are claimed (5 ETH for Alice and 5 ETH for Bob)afterTokenTransfer
function is executed. Bob's claimed amount will be set to 6 ETH, reflecting his new balance of 6 GiantLP.Tools Used
VSCode
Recommended Mitigation Steps
In the
afterTokenTransfer
function call_setClaimedToMax(_from)
:The text was updated successfully, but these errors were encountered: