Removed BondNFT assets rewards will be lost #404
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
duplicate-73
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L110-L120
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/GovNFT.sol#L275-L280
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L357-L360
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L211-L215
Vulnerability details
Impact
BondNFT has its
allowedAsset[]
for allowed assets. But fromLock.sol#claimGovFees()
, GovNFT will claim any asset rewards no matter it is allowed in BondNFT or not. So some asset not in BondNFTallowedAsset[]
could possibly be collected from GovNFTclaim()
, in this case the corresponding rewards will be lost and locked in the contract.Proof of Concept
Since the assets could change over time, the admin sometimes need to maintain the
assets[]
andallowedAsset[]
. But for GovNFT, any asset can be claimed as rewards.In BondNFT, some asset could be set as false. Then the
BondNFT.sol#distribute()
will silently return and do nothing.In this situation, although some asset might be claimed by GovNFT, and the
balanceBefore
andbalanceAfter
were changed, this part of rewards will be ignored inBondNFT.sol#distribute()
. And be locked in the contract.Tools Used
Manual analysis.
Recommended Mitigation Steps
Lock.sol#claimGovFees()
, Skip the disallowed assets.The text was updated successfully, but these errors were encountered: