Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sakshamguruji - Rewards Can Be Harvested Even When Distribution Is Marked As Finished #66

Open
sherlock-admin4 opened this issue Jul 25, 2024 · 2 comments
Open

sakshamguruji - Rewards Can Be Harvested Even When Distribution Is Marked As Finished #66

sherlock-admin4 opened this issue Jul 25, 2024 · 2 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A Medium severity issue. Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Jul 25, 2024
edited by sherlock-admin2
Loading

sakshamguruji

High

Rewards Can Be Harvested Even When Distribution Is Marked As Finished

Summary

In the contract StakedEXA.sol the finishDistribution() intends to finish the distribution of the reward token , but it fails to do so. Rewards can still be harvested from the Market and later claimed , meaning , rewards can be distributed violating the finish time of the distribution.

Vulnerability Detail

1.) The finishDistribution() intends to finish the distribution of the reward token , let's assume the admin now wants to finish the distribution , and calls the function -->

https://github.com/sherlock-audit/2024-07-exactly-stacking-contracts/blob/main/protocol/contracts/StakedEXA.sol#L425

Now the finish time is set to the block.timestamp

2.) All the above function does is transfer reward token to savings address (dependent upon rate and time difference)

3.) After the finishDistribution() , a normal user can still trigger the harvest() function -->

https://github.com/sherlock-audit/2024-07-exactly-stacking-contracts/blob/main/protocol/contracts/StakedEXA.sol#L344

This would firstly calculate assets to be withdrawn from the market which is dependent on the allowance of the distributor and then the assets are withdrawn from
the market.
And then notifyRewardAmount() is triggered at the last.

https://github.com/sherlock-audit/2024-07-exactly-stacking-contracts/blob/main/protocol/contracts/StakedEXA.sol#L209

4.) notifyRewardAmount() the reward.rate would be calculated as

RewardData storage rewardData = rewards[reward];
    if (block.timestamp >= rewardData.finishAt) {
      rewardData.rate = amount / rewardData.duration;
    }

Because the finishAt has been marked to the timestamp when finaliseRewards was called.

5.) And lastly rewardsData is updated

rewardData.finishAt = uint40(block.timestamp) + rewardData.duration;
    rewardData.updatedAt = uint40(block.timestamp);

6.) Now the user can claim the rewards since they are harvested , triggering the claim() function

7.) Even after finalisation of rewards , the reward tokens were distributed from the market and harvested and notified. It can be seen
as if provider lost those assets which were not meant to be distributed.

Impact

Rewards still being able to be harvested even after the finalisation of rewards , the provider would loose his assets if had given a infinite approval . The finalise rewards marks the Finishes the distribution of a reward token

Code Snippet

https://github.com/sherlock-audit/2024-07-exactly-stacking-contracts/blob/main/protocol/contracts/StakedEXA.sol#L425-L432

Tool used

Manual Review

Recommendation

The way to avoid starting a new distribution would be for the provider to set 0 allowances on the market or withdraw the assets
@github-actions github-actions bot added the Medium A Medium severity issue. label Jul 28, 2024
@itofarina itofarina mentioned this issue Jul 30, 2024
Closed
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Aug 7, 2024
@z3s z3s added the Has Duplicates A valid issue with 1+ other issues describing the same vulnerability label Aug 9, 2024
@sherlock-admin2 sherlock-admin2 changed the title Genuine Iron Marmot - Rewards Can Be Harvested Even When Distribution Is Marked As Finished sakshamguruji - Rewards Can Be Harvested Even When Distribution Is Marked As Finished Aug 9, 2024
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Aug 9, 2024
@sherlock-admin2
Copy link
Contributor

The protocol team fixed this issue in the following PRs/commits:
exactly/protocol#753

@sherlock-admin2
Copy link
Contributor

The Lead Senior Watson signed off on the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A Medium severity issue. Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@z3s @sherlock-admin2 @sherlock-admin3 @sherlock-admin4