CL001 - Using the predicted value as Minimum amount of reward to receive may result in user losses

[sherlock-admin2]

CL001

medium

Using the predicted value as Minimum amount of reward to receive may result in user losses

Summary

_withdrawRewards() function in SdtRewardReceiver.sol calls _poolCvgsdt.exchage() converts all SDT into CvgSDT.
The poolCvgsdt.exchage() function uses the return value of the get_dy() method as min_dy(Minimum amount of 'reward' to receive) may result in user losses.

Vulnerability Detail

https://etherscan.io/address/0xCA0253A98D16e9C1e3614caFDA19318EE69772D0#code#L769
InpoolCvgsdt.exchange()function compares the calculated 'rewardAmount' with the minimum rewardAmount(min_dy), forcing the actual 'rewardAmount' of received to be greater than or equal to min_dy.

However, the poolCvgsdt.exchage() function uses the return value of the get_dy() method as min_dy,
Curve pool.get_dy() method returns a predicted value that may be less than the user expects(actual rewardAmount)
https://etherscan.io/address/0xCA0253A98D16e9C1e3614caFDA19318EE69772D0#code#L721

As in the code comments “Only swap if the returned amount in CvgSdt is gretear than the amount rewarded in SDT”, This is to avoid losses to the user
https://github.com/sherlock-audit/2023-11-convergence/blob/e894be3e36614a385cf409dc7e278d5b8f16d6f2/sherlock-cvg/contracts/Staking/StakeDAO/SdtRewardReceiver.sol#L234

Impact

Leads to loss of rewards for users

Code Snippet

https://github.com/sherlock-audit/2023-11-convergence/blob/e894be3e36614a385cf409dc7e278d5b8f16d6f2/sherlock-cvg/contracts/Staking/StakeDAO/SdtRewardReceiver.sol#L234

Tool used

Manual Review

Recommendation

Use actual 'rewardAmount' as min_dy

ICrvPoolPlain _poolCvgSDT = poolCvgSDT;
/// @dev Only swap if the returned amount in CvgSdt is gretear than the amount rewarded in SDT
- _poolCvgSDT.exchange(0, 1, rewardAmount, _poolCvgSDT.get_dy(0, 1, rewardAmount), receiver);

+ _poolCvgSDT.exchange(0, 1, rewardAmount, rewardAmount, receiver);

Duplicate of #180