Ethereum Credit Guild - KupiaSec's results

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/SurplusGuildMinter.sol#L230

Vulnerability details

Impact

Users that stake their credit token before loss, will not have reward

Proof of Concept

After forgive function of LendingTerm contract is called or less credit token bid on auction, i.e. if loss occured, LendingTerm contract calls notifyPnl() function of ProfitManager contract. In that function, if pnl is negative value, this function calls notifyGaugeLoss function in GuildToken Contract. After that, lastGaugeLoss state of the gauge is updated to block.timestamp. In getRewards function of SurplusGuildMinter contract, usersStake.lastGaugeLoss is 0 forever if the users staked before the gauge loss. So slashed flag will be true. As a result, users cannot get rewards at all.

function getRewards(
        address user,
        address term
    )
        public
        returns (
            uint256 lastGaugeLoss, // GuildToken.lastGaugeLoss(term)
            UserStake memory userStake, // stake state after execution of getRewards()
            bool slashed // true if the user has been slashed
        )
    {
        bool updateState;
        lastGaugeLoss = GuildToken(guild).lastGaugeLoss(term);
        
        if (lastGaugeLoss > uint256(userStake.lastGaugeLoss)) { //@audit userStake.lastGaugeLoss could be zero and slashed is true
            slashed = true;
        }
        // if the user is not staking, do nothing
        userStake = _stakes[user][term];
        if (userStake.stakeTime == 0)
            return (lastGaugeLoss, userStake, slashed);
    }

Tools Used

Manual Review

Recommended mitigation

It should have a logic to manage users' already accumulated rewards before updating lastGuageLoss.

Assessed type

Other