Skip to content
This repository has been archived by the owner on Jun 2, 2024. It is now read-only.

r0ck3tz - Incorrect slippage used for swapping SDT to CvgSdt tokens while claiming rewards #164

Closed
sherlock-admin2 opened this issue Nov 29, 2023 · 0 comments
Closed

r0ck3tz - Incorrect slippage used for swapping SDT to CvgSdt tokens while claiming rewards #164

sherlock-admin2 opened this issue Nov 29, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Nov 29, 2023
edited

r0ck3tz

medium

Incorrect slippage used for swapping SDT to CvgSdt tokens while claiming rewards

Summary

The logic for claiming CVG and SDT rewards through the claimCvgSdtRewards function in the SdtStakingPositionService contract allows specifying whether the claimed SDT tokens should be converted to CrvSDT tokens. The claimCvgSdtRewards function calls the SdtRewardReceiver's claimCvgSdtSimple function, where the conversion of SDT to CrvSDT tokens can be achieved either through minting at a 1:1 ratio or by using the Curve pool to exchange the SDT rewards for CrvSDT token

The swapping mechanism should only work if the returned amount in CvgSDT tokens is greater than the amount of rewards in SDT. This is also indicated in the comment in source code.

Vulnerability Detail

The pool's exchange function, used to calculate slippage as an expected value, relies on the result of the get_dy function, which returns the amount of tokens that would be obtained for the given input token amount.

(..)
    ICrvPoolPlain _poolCvgSDT = poolCvgSDT;
    /// @dev Only swap if the returned amount in CvgSdt is gretear than the amount rewarded in SDT
    _poolCvgSDT.exchange(0, 1, rewardAmount, _poolCvgSDT.get_dy(0, 1, rewardAmount), receiver);
(..)

This means that the functionality does not work as expected and will perform swaps at the current rate, without any slippage protection, even in cases where the resulting amount of CvgSDT tokens is smaller than the input amount of SDT tokens.

Impact

The use of swapping SDT tokens to CvgSDT while claiming rewards is vulnerable to multiple exploitation scenarios:

  • An attacker might execute a sandwich attack against the user claiming rewards, as there is no slippage protection in place.
  • Users might lose portions of SDT tokens when swapping for CvgSDT since the exchange will be done at the current rate, even if it is highly unfavorable for the user.

Code Snippet

Tool used

Manual Review

Recommendation

It is recommended to use the expected parameter with the value of rewardAmount, which will correctly implement the intended logic. The swap will only succeed in cases where the amount of received CvgSDT is greater than the amount of rewarded SDT tokens.

 _poolCvgSDT.exchange(0, 1, rewardAmount, rewardAmount, receiver);

Duplicate of #180
@github-actions github-actions bot closed this as completed Dec 2, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Dec 2, 2023
@sherlock-admin2 sherlock-admin2 changed the title Warm Tin Hamster - Incorrect slippage used for swapping SDT to CvgSdt tokens while claiming rewards r0ck3tz - Incorrect slippage used for swapping SDT to CvgSdt tokens while claiming rewards Dec 24, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Dec 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2