Blacklisting a tigAsset
results in loss of all user staked funds without earning rewards
#99
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-73
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L215
Vulnerability details
Impact
Users who created a lock with a
tigAsset
and thattigAsset
gets blacklisted permanently inBondNFT
:Essentially, blacklisting a
tigAsset
results in lose of users staked funds and not being able to get expected rewards.Any use of
setAllowedAsset
to set atigAsset
to not be allowed will result the above on user stakes oftigAsset
s.Simple scenario:
tigAsset
s intolock
for 365 days.setAllowedAsset
is called to settigAsset
to false inallowedAsset
.tigAsset
s are locked in the contract forever, with only receiving rewards for 5 days.Users should be able to release their lock if the asset that they staked got blacklisted.
Proof of Concept
BondNFT
has anallowedAsset
list which is used to control whattigAssets
are used for staking.https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L63
The
tigAsset
is always set to true in theallowedAsset
when it is added as a supported asset.https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L353
The
BondNFT
contract also has a mechanism to "blacklist" an asset by calling thesetAllowedAsset
function:https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L359
In most operations in the
lock
contract, it claims rewards from thegovNFT
contract and calls thedistribute
function inBondNFT
to distribute the rewards to stakers.The bug exists in the
distribute
function which returns false if the token is blacklisted:https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L215
Please not the following:
epoch[_tigAsset]
will never get updated if thetigAsset
is blacklisted.distribute
does not add the retrieved tokens from thegovNFT
to rewards accounting.Consequence of #1: users cannot receive rewards for their stake.
Consequence of #2: users will never be able to release their lock even after the lock period has passed. This is because
release
function will revert with!expire
message because the contract decides if a bond is expired or not according toepoch[_tigAsset]
.release
inBondNFT
:https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L142
idToBond
inBondNFT
that updatesbond.expire
:https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L238
As can be seen above because
epoch[bond.asset]
is not updated (due to blacklisting of the asset), the bond is considered not expired.Hardhat POC
The protocol has already implemented a test that makes sure if a token is blacklisted it is not distributed:
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/test/09.Bonds.js#L163
In the above test, 3000
tigAsset
s are staked in the lock and the staker will not receive any rewards.The following POC demonstrates that a user cannot unlock his stake after the 100 days lock period:
Add the following test to
09.Bonds.js
:https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/test/09.Bonds.js#L170
To run the above test, execute:
Tools Used
VS Code, Hardhat
Recommended Mitigation Steps
While there must be a need to blacklist
tigAssets
becausesetAllowedAsset
function exists, the BondNFT contract should allow users to release their stake if the token they staked is blacklisted or automatically do it for them.The text was updated successfully, but these errors were encountered: