BondNFT.claim can be called several times to increase rewards amount and drain all funds #182
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-170
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/BondNFT.sol#L168-L187
Vulnerability details
Impact
BondNFT.claim can be called several times to increase rewards amount.
Proof of Concept
BondNft.claim function is called to claim bond rewards that have accrued during the time.
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/BondNFT.sol#L168-L187
If bond is already expired then function distributes the amount that is accrued in next epochs after bond has expired to bonds that are nor expired yet.
The problem is that currently this function can be called as many times as you wish using Lock.claim function.
So that means that accRewardsPerShare[bond.asset][epoch[bond.asset]] will be always increasing.
Attack example.
1.Attacker creates 2 bonds. One is for short period, another is for little bit longer period.
2.When first bond has expired attacker calls claim too many times to increase accRewardsPerShare[bond.asset][epoch[bond.asset]] value to drain all funds from BondNft.
3.After that attacker claims his another bond and recieve all funds that are in BondNft as reward.
Tools Used
VsCode
Recommended Mitigation Steps
Make sure that accRewardsPerShare updating is made only once.
Such check may help
if (bond.expired && bond.pending > 0)
.The text was updated successfully, but these errors were encountered: