LP Rewards can be increased infinitely by a malicious liquidity provider #503
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-170
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L178
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L38
Vulnerability details
Impact
LP Rewards can be increased infinitely by a malicious liquidity provider
Proof of Concept
A Bond NFT holder can claim pending rewards from a bond using the function
Lock.claim()
.This
claim()
function calls theBondNFT.claim()
and if the bond is an expired one there is an additional process to reimburse the rewards for that expired bond.So the protocol calculates how much rewards were allocated to that expired bond from the
bond.expireEpoch
toepoch[bond.asset]
and reimburse that to the currentaccRewardsPerShare
.The problem is it calculates the
_pendingDelta
using thebond.expireEpoch
andepoch[bond.asset]
while this can be called multiple times.As we can see, the
claim()
function does not do anything to release the expired bond or remember the time that this reimbursement happens.So an expired bond holder can trigger this function by calling
Lock.claim()
repeatedly to increase theaccRewardsPerShare
.This means the rewards for liquidity providers can be increased to infinite.
Tools Used
Manual Review
Recommended Mitigation Steps
Release the bond if expired in the function
BondNFT.claim()
or remember the last time that the_pendingDelta
was calculated to make sure the reimbursement does not happen more than once.The text was updated successfully, but these errors were encountered: