veRWA - 0xStalin's results

Lines of code

https://github.com/code-423n4/2023-08-verwa/blob/main/src/LendingLedger.sol#L188-L199

Vulnerability details

Impact

• Some users may won't be able to claim their corresponding rewards for some epochs if the total amount of rewards that was allocated for the epochs doesn't match or is less than the total CANTO balance in the contract

Proof of Concept

• Rewards can be set to any amount for different epochs, but there are no checks to enforce if there is enough CANTO to back up the total allocated rewards for the specified ephocs.

• The consequence of not enforcing that the rewards are really fully back up with CANTO tokens are that epochs can run out of rewards before all the users have claimed their corresponding rewards, thus, some users will lost their rewards.

• The only way this contract can receive CANTO tokens is by directly depositing them using the LendingLedger::receive(), but this function also doesn't validate if the amount of CANTO tokens been deposited are enough to fully back up the total rewards allocated for all the epochs for all the users.

  • Governance could send a tremendous huge number of CANTO tokens and just leave them sitting there in the contract, but that might not be the most optimal approach since those tokens would be basically doing nothing in the contract, those tokens could be used in other things to generate some yield overtime.

• The most optimal approach is to ensure that all the allocated rewards for all the epochs are fully backed up by CANTO tokens, the contract should have a 100% of the rewards to be distributed, not more not less.

Tools Used

Manual Audit

Recommended Mitigation Steps

• When setting the rewards also force the deposit of all the rewards that are been allocated.
• Make payable this function and validate that the total amount of rewards allocated for all the epochs matches the total CANTO (native token) that was sent alongside this call

+ function setRewards(....) .... payable {
+   uint256 totalAllocatedRewards = 0;
    for(...){
      ...
+     totalAllocatedRewards += _amountPerEpoch;
    }

+   //If msg.value is greather than the total allocated rewards, refund the excess
+   if(msg.value > totalAllocatedRewards) {
+       uint refundExcess = msg.value - totalAllocatedRewards;
+       (bool success, ) = msg.sender.call{refundExcess}("");
+       require(success, "Failed to send CANTO");
+   } else {
+       revert("Not enough CANTO tokens were sent to back up all the allocated rewards for all the epochs");
+   }
  }

Assessed type

Invalid Validation