-
Notifications
You must be signed in to change notification settings - Fork 8
cergyk - Division by Zero in CvgRewards::_distributeCvgRewards leads to locked funds #131
Comments
Hello, Thanks a lot for your attention. We are aware of the potential for a division by zero if there are no votes at all in one of our gauges. However, this scenario is unlikely to occur in reality because there will always be votes deployed (by us and/or others) in the gauges. Nevertheless, your point is valid, and we will address it to be prepared for this case. Therefore, in conclusion, we must acknowledge your issue as correct, even though we are already aware of it. Regards, |
Since DoS is not permanent where in as long as protocol/users themselves vote for the gauge, I think this is a low severity issue. |
Escalate Escalating based on latest comment:
If we reach this case ( It is acknowledged that there is a low chance of this happening, but due to the severe impact and acknowledged validity this should be a medium |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
@CergyK As mentioned by the sponsor, they will always ensure there is votes present to prevent this scenario, so I can see this as an "admin error" if the scenario is allowed to happen, but I also see your point given this was not made known to watsons. If totalWeight goes to zero, it will indeed be irrecoverable. Unlikely but possible, so can be valid based on this sherlock rule
|
I believe this impact warrants medium severity. Planning to accept the escalation. |
Result: |
Escalations have been resolved successfully! Escalation status:
|
Hello dear auditor, we fixed this issue. You can find how on the following link : https://github.com/Cvg-Finance/sherlock-cvg/pull/4#discussion_r1457528119 |
Fix looks good. Now utilizes a ternary operator to prevent division by zero |
cergyk
high
Division by Zero in CvgRewards::_distributeCvgRewards leads to locked funds
Summary
The bug occurs when
CvgRewards::_setTotalWeight
setstotalWeightLocked
to zero, leading to a division by zero error inCvgRewards::_distributeCvgRewards
, and blocking cycle increments. The blocking results in all Cvg locked to be unlockable permanently.Vulnerability Detail
The function
_distributeCvgRewards
ofCvgRewards.sol
is designed to calculate and distribute CVG rewards among staking contracts. It calculates thecvgDistributed
for each gauge based on its weight and the total staking inflation. However, if thetotalWeightLocked
remains at zero (due to some gauges that are available but no user has voted for any gauge), the code attempts to divide by zero.The DoS of
_distributeCvgRewards
will prevent cycle from advancing to the next stateState.CONTROL_TOWER_SYNC
, thus forever locking the users’ locked CVG tokens.Impact
Loss of users’ CVG tokens due to DoS of
_distributeCvgRewards
blocking the state.Code Snippet
https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Rewards/CvgRewards.sol#L321
Tool used
Recommendation
If the _totalWeight is zero, just consider the cvg rewards to be zero for that cycle, and continue with other logic:
The text was updated successfully, but these errors were encountered: