Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

WATCHPUG - escrowedReward will be frozen in the contract if escrowPool == address(0) but escrowPortion > 0 #107

Open
sherlock-admin opened this issue Oct 14, 2022 · 3 comments
Open

WATCHPUG - escrowedReward will be frozen in the contract if escrowPool == address(0) but escrowPortion > 0 #107

sherlock-admin opened this issue Oct 14, 2022 · 3 comments
Labels
Has Duplicates Medium Sponsor Confirmed Will Fix

Comments

@sherlock-admin
Copy link
Contributor

WATCHPUG

high

escrowedReward will be frozen in the contract if escrowPool == address(0) but escrowPortion > 0

Summary

A portion of users' reward, which is expected to be "escrowed", will be frozen in the pool contract if escrowPool == address(0) but escrowPortion > 0.

Vulnerability Detail

Setting _escrowPool to address(0) is allowed in __BasePool_init():

https://github.com/sherlock-audit/2022-10-merit-circle/blob/main/merit-liquidity-mining/contracts/base/BasePool.sol#L75-L77

However, when escrowPortion > 0, if escrowPool == address(0), claimRewards() will still only transferring nonEscrowedRewardAmount to the _receiver and left the escrowedRewardAmount in the contract.

Impact

As a result, a portion (escrowPortion) of the rewards will be frozen in the contract, and there is no way for the users or even the admin to retrieve these rewards.

Code Snippet

https://github.com/Merit-Circle/merit-liquidity-mining/blob/ce5feaae19126079d309ac8dd9a81372648437f1/contracts/base/BasePool.sol#L100-L115

Tool used

Manual Review

Recommendation

Change to:

function claimRewards(address _receiver) external {
    uint256 rewardAmount = _prepareCollect(_msgSender());
    uint256 escrowedRewardAmount = 0;

    if(escrowPortion != 0 && address(escrowPool) != address(0)) {
        escrowedRewardAmount = rewardAmount * escrowPortion / 1e18;
        if (escrowedRewardAmount != 0) {
            escrowPool.deposit(escrowedRewardAmount, escrowDuration, _receiver);
            rewardAmount -= escrowedRewardAmount;
        }
    }

    // ignore dust
    if(rewardAmount > 1) {
        rewardToken.safeTransfer(_receiver, rewardAmount);
    }

    emit RewardsClaimed(_msgSender(), _receiver, escrowedRewardAmount, rewardAmount);
}
This was referenced Oct 14, 2022
Closed
Closed
Closed
Closed
Closed
Closed
@federava
Copy link

Conditions stablished in this issue, that is, escrowPool == address(0) and escrowPortion > 0 will never be met because pools are deployed with:

escrowPool != address(0) and escrowPortion > 0
or
escrowPool == address(0) and escrowPortion > 0

As a priority we could check on deployment that such conditions are not met.

@federava federava mentioned this issue Oct 21, 2022
Merged
@federava
Copy link

PR from this issue

@jack-the-pug
Copy link
Collaborator

Fix confirmed

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates Medium Sponsor Confirmed Will Fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@federava @jack-the-pug @sherlock-admin