Back to 0xjuicer's contests

Aura Finance contest - 0xjuicer's results

Providing optimal incentives for VotingEscrow systems.

General Information

Platform: Code4rena

Start Date: 11/05/2022

Pot Size: $150,000 USDC

Total HM: 23

Participants: 93

Period: 14 days

Judge: LSDan

Total Solo HM: 18

Id: 123

League: ETH

Aura Finance

Findings Distribution

Researcher Performance

Rank: 4/93

Findings: 2

Award: $7,523.70

🌟 Selected for report: 2

πŸš€ Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAura Finance

Findings Information

🌟 Selected for report: 0xjuicer

Labels

bug
2 (Med Risk)
disagree with severity
resolved
sponsor confirmed

Awards

5188.7624 USDC - $5,188.76

External Links

Link to GitHub issue

Lines of code

https://github.com/aurafinance/convex-platform/blob/9cae5eb5a77e73bbc1378ef213740c1889e2e8a3/contracts/contracts/BaseRewardPool4626.sol

Vulnerability details

Impact

BaseRewardPool4626 is not IERC4626 compliant. This makes the BaseRewardPool4626 contract irrelevant as it is for now since projects won't be able to integrate with BaseRewardPool4626 using theeip-4626 standard.

Suggestion

You can choose to remove the BaseRewardPool4626 and save on some deployment gas or review the necessary functions and emits required on eip-4626 and add it to BaseRewardPool4626.

#0 - 0xMaharishi

2022-05-25T16:09:28Z

Valid report

https://github.com/code-423n4/2022-05-aura/pull/5

Resolved here ^

#1 - 0xMaharishi

2022-05-25T16:09:51Z

Probably should be severity 1 though.. no funds are ever at risk under any scenario

#2 - dmvt

2022-06-20T18:47:39Z

I agree with medium risk here

Findings Information

🌟 Selected for report: 0xjuicer

Also found by: csanuragjain

Labels

bug
2 (Med Risk)
disagree with severity
resolved
sponsor acknowledged
sponsor confirmed

Awards

2334.9431 USDC - $2,334.94

External Links

Link to GitHub issue

Lines of code

https://github.com/aurafinance/aura-contracts-lite/blob/main/contracts/AuraLocker.sol#L848

Vulnerability details

Rewards distribution can be delayed/never distributed on AuraLocker.sol#L848

Issue

Someone malicious can delay the rewards distribution for non cvxCrv tokens distributed on AuraLocker.sol.

1: Attacker will send one wei of token that are distributed on the AuraLocker.sol to AuraStakingProxy.

2: Attacker will call distributeOther. The function will call notifyRewardAmount that calls _notifyReward

When calling _notifyReward the rewards left to distribute over the 7 days are redistributed throughout a new period starting immediately.

uint256 remaining = uint256(rdata.periodFinish).sub(block.timestamp);
uint256 leftover = remaining.mul(rdata.rewardRate);
rdata.rewardRate = _reward.add(leftover).div(rewardsDuration).to96();

Example: If the reward rate is 1 token (10**18) per second and 3.5 days are left (302400 seconds), we get a leftover of 302400 tokens. this is then divided by 604800, the reward rate is now 0.5 and the user of the protocol will have to wait one week for tokens that were supposed to be distributed over 3.5 days. This can be repeated again and again so that some rewards are never distributed.

Suggestion

I can see that queueNewRewards has some protective mechanism. A new period is started only if the token that is added on top of the already distributed tokens during the duration is over 120%.

I suggest adding a similar check to queueNewRewards

#0 - 0xMaharishi

2022-05-30T21:04:06Z

https://github.com/code-423n4/2022-05-aura/pull/6

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter