This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
saidam017 - When queueNewRewards is called, caller could transfer tokens more than it should be
#379
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Comments
github-actions
bot
added
High
This was referenced Sep 11, 2023
Closed
shaka -
AbstractRewarder:queueNewRewards() might try to pull too many reward tokens from caller
#451
Closed
Closed
Closed
Closed
codenutt
added
the
Sponsor Confirmed
sherlock-admin
changed the title
queueNewRewards is called, caller could transfer tokens more than it should bequeueNewRewards is called, caller could transfer tokens more than it should be
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
saidam017
medium
When
queueNewRewardsis called, caller could transfer tokens more than it should beSummary
queueNewRewardsis used for Queues the specified amount of new rewards for distribution to stakers. However, it used wrong calculated value when pulling token funds from the caller, could make caller transfer tokens more that it should be.Vulnerability Detail
Inside
queueNewRewards, irrespective of whether we're near the start or the end of a reward period, if the accrued rewards are too large relative to the new rewards (queuedRatiois greater thannewRewardRatio), the new rewards will be added to the queue (queuedRewards) rather than being immediately distributed.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/rewarders/AbstractRewarder.sol#L235-L261
However, when this function tried to pull funds from sender via
safeTransferFrom, it usednewRewardsamount, which already added bystartingQueuedRewards. If previouslyqueuedRewardsalready have value, the processed amount will be wrong.Impact
There are two possible issue here :
queuedRewardsis not 0, and the caller don't have enough funds or approval, the call will revert due to this logic error.queuedRewardsis not 0, and the caller have enough funds and approval, the caller funds will be pulled more than it should (reward param +queuedRewards)Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/rewarders/AbstractRewarder.sol#L236-L239
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/rewarders/AbstractRewarder.sol#L260
Tool used
Manual Review
Recommendation
Update the transfer to use
startingNewRewardsinstead ofnewRewards:function queueNewRewards(uint256 newRewards) external onlyWhitelisted { uint256 startingQueuedRewards = queuedRewards; uint256 startingNewRewards = newRewards; newRewards += startingQueuedRewards; if (block.number >= periodInBlockFinish) { notifyRewardAmount(newRewards); queuedRewards = 0; } else { uint256 elapsedBlock = block.number - (periodInBlockFinish - durationInBlock); uint256 currentAtNow = rewardRate * elapsedBlock; uint256 queuedRatio = currentAtNow * 1000 / newRewards; if (queuedRatio < newRewardRatio) { notifyRewardAmount(newRewards); queuedRewards = 0; } else { queuedRewards = newRewards; } } emit QueuedRewardsUpdated(startingQueuedRewards, startingNewRewards, queuedRewards); // Transfer the new rewards from the caller to this contract. - IERC20(rewardToken).safeTransferFrom(msg.sender, address(this), newRewards); + IERC20(rewardToken).safeTransferFrom(msg.sender, address(this), startingNewRewards); }The text was updated successfully, but these errors were encountered: