This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
saidam017 - When queueNewRewards
is called, caller could transfer tokens more than it should be
#379
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
saidam017
medium
When
queueNewRewards
is called, caller could transfer tokens more than it should beSummary
queueNewRewards
is used for Queues the specified amount of new rewards for distribution to stakers. However, it used wrong calculated value when pulling token funds from the caller, could make caller transfer tokens more that it should be.Vulnerability Detail
Inside
queueNewRewards
, irrespective of whether we're near the start or the end of a reward period, if the accrued rewards are too large relative to the new rewards (queuedRatio
is greater thannewRewardRatio
), the new rewards will be added to the queue (queuedRewards
) rather than being immediately distributed.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/rewarders/AbstractRewarder.sol#L235-L261
However, when this function tried to pull funds from sender via
safeTransferFrom
, it usednewRewards
amount, which already added bystartingQueuedRewards
. If previouslyqueuedRewards
already have value, the processed amount will be wrong.Impact
There are two possible issue here :
queuedRewards
is not 0, and the caller don't have enough funds or approval, the call will revert due to this logic error.queuedRewards
is not 0, and the caller have enough funds and approval, the caller funds will be pulled more than it should (reward param +queuedRewards
)Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/rewarders/AbstractRewarder.sol#L236-L239
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/rewarders/AbstractRewarder.sol#L260
Tool used
Manual Review
Recommendation
Update the transfer to use
startingNewRewards
instead ofnewRewards
:The text was updated successfully, but these errors were encountered: