BoRonGod - cannot forward extra rewards from both OCY_Convex to OCT_YDL. #479
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
BoRonGod
high
cannot forward extra rewards from both OCY_Convex to OCT_YDL.
Summary
Convex specifies
rewardContract
to be aVirtualBalanceRewardPool
, but all three OCY_Convex uses it as a ERC20 token, which make it impossible to claim extra rewards and forward them to the OCT_YDL.Vulnerability Detail
According to Convex doc:
But, in current implementation: (take OCY_Convex_A for example)
Tokens cannot be sent to YDL.
Impact
Current OCY_Convex_A, OCY_Convex_B and OCY_Convex_C cannot forward extraRewards to YDL.
Code Snippet
https://github.com/sherlock-audit/2024-03-zivoe/blob/main/zivoe-core-foundry/src/lockers/OCY/OCY_Convex_A.sol#L263
https://docs.convexfinance.com/convexfinanceintegration/baserewardpool#extra-rewards
Tool used
Manual Review
Recommendation
Use the real token address for token transfer.
The text was updated successfully, but these errors were encountered: