You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 2, 2024. It is now read-only.
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Using the predicted value as Minimum amount of reward to receive may result in user losses
Summary
_withdrawRewards() function in SdtRewardReceiver.sol calls _poolCvgsdt.exchage() converts all SDT into CvgSDT.
The poolCvgsdt.exchage() function uses the return value of the get_dy() method as min_dy(Minimum amount of 'reward' to receive) may result in user losses.
ICrvPoolPlain _poolCvgSDT = poolCvgSDT;
/// @dev Only swap if the returned amount in CvgSdt is gretear than the amount rewarded in SDT- _poolCvgSDT.exchange(0, 1, rewardAmount, _poolCvgSDT.get_dy(0, 1, rewardAmount), receiver);
+ _poolCvgSDT.exchange(0, 1, rewardAmount, rewardAmount, receiver);
sherlock-admin2
changed the title
Precise Snowy Eagle - Using the predicted value as Minimum amount of reward to receive may result in user losses
CL001 - Using the predicted value as Minimum amount of reward to receive may result in user losses
Dec 24, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
CL001
medium
Using the predicted value as Minimum amount of reward to receive may result in user losses
Summary
_withdrawRewards()
function in SdtRewardReceiver.sol calls_poolCvgsdt.exchage()
converts all SDT into CvgSDT.The
poolCvgsdt.exchage()
function uses the return value of theget_dy()
method as min_dy(Minimum amount of 'reward' to receive) may result in user losses.Vulnerability Detail
https://etherscan.io/address/0xCA0253A98D16e9C1e3614caFDA19318EE69772D0#code#L769
In
poolCvgsdt.exchange()
function compares the calculated'rewardAmount'
with the minimumrewardAmount(min_dy)
, forcing the actual'rewardAmount'
of received to be greater than or equal tomin_dy
.However, the
poolCvgsdt.exchage()
function uses the return value of theget_dy()
method asmin_dy,
Curve
pool.get_dy()
method returns a predicted value that may be less than the user expects(actual rewardAmount)https://etherscan.io/address/0xCA0253A98D16e9C1e3614caFDA19318EE69772D0#code#L721
As in the code comments “Only swap if the returned amount in CvgSdt is gretear than the amount rewarded in SDT”, This is to avoid losses to the user
https://github.com/sherlock-audit/2023-11-convergence/blob/e894be3e36614a385cf409dc7e278d5b8f16d6f2/sherlock-cvg/contracts/Staking/StakeDAO/SdtRewardReceiver.sol#L234
Impact
Leads to loss of rewards for users
Code Snippet
https://github.com/sherlock-audit/2023-11-convergence/blob/e894be3e36614a385cf409dc7e278d5b8f16d6f2/sherlock-cvg/contracts/Staking/StakeDAO/SdtRewardReceiver.sol#L234
Tool used
Manual Review
Recommendation
Use actual
'rewardAmount'
asmin_dy
Duplicate of #180
The text was updated successfully, but these errors were encountered: