Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LP Rewards can be increased infinitely by a malicious liquidity provider #503

Closed
code423n4 opened this issue Dec 16, 2022 · 3 comments
Closed

LP Rewards can be increased infinitely by a malicious liquidity provider #503

code423n4 opened this issue Dec 16, 2022 · 3 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-170 satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L178
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L38

Vulnerability details

Impact

LP Rewards can be increased infinitely by a malicious liquidity provider

Proof of Concept

A Bond NFT holder can claim pending rewards from a bond using the function Lock.claim().

function claim(
    uint256 _id
) public returns (address) {
    claimGovFees();
    (uint _amount, address _tigAsset) = bondNFT.claim(_id, msg.sender);
    IERC20(_tigAsset).transfer(msg.sender, _amount);
    return _tigAsset;
}

This claim() function calls the BondNFT.claim() and if the bond is an expired one there is an additional process to reimburse the rewards for that expired bond.

So the protocol calculates how much rewards were allocated to that expired bond from the bond.expireEpoch to epoch[bond.asset] and reimburse that to the current accRewardsPerShare.

The problem is it calculates the _pendingDelta using the bond.expireEpoch and epoch[bond.asset] while this can be called multiple times.

    function claim(
        uint _id,
        address _claimer
    ) public onlyManager() returns(uint amount, address tigAsset) {
        Bond memory bond = idToBond(_id);
        require(_claimer == bond.owner, "!owner");
        amount = bond.pending;
        tigAsset = bond.asset;
        unchecked {
            if (bond.expired) {
                uint _pendingDelta = (bond.shares * accRewardsPerShare[bond.asset][epoch[bond.asset]] / 1e18 - bondPaid[_id][bond.asset]) - (bond.shares * accRewardsPerShare[bond.asset][bond.expireEpoch-1] / 1e18 - bondPaid[_id][bond.asset]);
                if (totalShares[bond.asset] > 0) {
                    accRewardsPerShare[bond.asset][epoch[bond.asset]] += _pendingDelta*1e18/totalShares[bond.asset];
                }
            }
            bondPaid[_id][bond.asset] += amount;
        }
        IERC20(tigAsset).transfer(manager, amount);
        emit ClaimFees(tigAsset, amount, _claimer, _id);
    }

As we can see, the claim() function does not do anything to release the expired bond or remember the time that this reimbursement happens.
So an expired bond holder can trigger this function by calling Lock.claim() repeatedly to increase the accRewardsPerShare.
This means the rewards for liquidity providers can be increased to infinite.

Tools Used

Manual Review

Recommended Mitigation Steps

Release the bond if expired in the function BondNFT.claim() or remember the last time that the _pendingDelta was calculated to make sure the reimbursement does not happen more than once.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Dec 16, 2022
code423n4 added a commit that referenced this issue Dec 16, 2022
@code423n4
hansfriese issue #503
c312072
@c4-judge
Copy link
Contributor

GalloDaSballo marked the issue as duplicate of #68

@c4-judge
Copy link
Contributor

GalloDaSballo marked the issue as duplicate of #170

C4-Staff added a commit that referenced this issue Jan 6, 2023
@C4-Staff
original risk added for issue #503
a46fc42
@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jan 22, 2023
@c4-judge
Copy link
Contributor

GalloDaSballo marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-170 satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code423n4 @c4-judge