New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permanent freeze of yield when TokenSender rewards bank is depleted and deposit or withdraw is called. #311
Comments
Indeed, it would be good to add a flag or some parameter called However, I do not agree that this falls in the "Permanent freezing of unclaimed yield" category. From my perspective, this part of the code does not promise users anything. Instead, there is eventually a fee rebate if there are still PPO to send. Therefore, the additional parameter would only be an additional safety check for the user. |
Picodes changed the severity to 2 (Med Risk) |
Picodes marked the issue as primary issue |
ramenforbreakfast marked the issue as sponsor disputed |
Yes, i agree that to categorize this under "Permanent freezing of unclaimed yield", since this is just an additional rebate reward given to the user. It is within the contract documentation that this is expected behavior and in our front end we will be very clear on the lack of a rebate if the We do not want a situation where the rebate contract has exhausted its |
Picodes marked the issue as duplicate of #257 |
Picodes marked the issue as satisfactory |
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/TokenSender.sol#L41
Vulnerability details
Description
In collateral deposit() and withdraw() flow, a fee is calculated as a percentage of user's requested amount. It is passed to the DepositHook and WithdrawHook, for example in deposit():
In the DepositHook, if there is a fee two actions take place:
The issue is that TokenSender has an early exit problem:
In the code above, note that if the TokenSender does not currently have enough reward tokens to hand out, it will simply return successfully from the call. Therefore, user which assumed they will be getting cash back rewards from fees when depositing or withdrawing, are actually paying the fees with no compensation.
Impact
Permanent freeze of yield when TokenSender rewards bank is depleted and deposit or withdraw is called.
Proof of Concept
Tools Used
Manual audit
Recommended Mitigation Steps
The root cause is that there is no differentiation between user's request to mint expecting rewards, and user's request to mint in any case. This lack of acknoledgement means user may be left under-compensated.
It is very advisable to add "forfeitRewards" flag, which is required to be true when TokenSender is not able to satisfy the reward owings to user.
Judging note
Permanent freezing of unclaimed yield is always rated as High severity on Immunefi bounties.
The text was updated successfully, but these errors were encountered: