This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
xiaoming90 - Unable to withdraw extra rewards #565
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
xiaoming90
medium
Unable to withdraw extra rewards
Summary
Users are unable to withdraw extra rewards due to staking of TOKE that is less than
MIN_STAKE_AMOUNT
, resulting in them being stuck in the contracts.Vulnerability Detail
Suppose Bob only has 9999 Wei TOKE tokens as main rewards and 100e18 DAI as extra rewards in this account.
When attempting to get the rewards, the code will always get the main rewards, followed by the extra rewards, as shown below.
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/rewarders/MainRewarder.sol#L108
If the main reward is TOKE, they will be staked to the
GPToke
at Line 376 below.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/rewarders/AbstractRewarder.sol#L354
However, if the staked amount is less than the minimum stake amount (
MIN_STAKE_AMOUNT
), the function will revert.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/staking/GPToke.sol#L98
In this case, Bob will not be able to redeem his 100 DAI reward when processing the reward. The code will always attempt to stake 9999 Wei Toke and revert because it fails to meet the minimum stake amount.
Impact
There is no guarantee that the users' TOKE rewards will always be larger than
MIN_STAKE_AMOUNT
as it depends on various factors such as the following:As such, the affected users will not be able to withdraw their extra rewards, and they will be stuck in the contract.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/rewarders/MainRewarder.sol#L108
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/rewarders/AbstractRewarder.sol#L354
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/staking/GPToke.sol#L98
Tool used
Manual Review
Recommendation
To remediate the issue, consider collecting TOKE and staking it to the
GPToke
contract only if it meets the minimum stake amount.The text was updated successfully, but these errors were encountered: