Ethereum Credit Guild - Stormreckson's results

Lines of code

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/SurplusGuildMinter.sol#L227-L232

Vulnerability details

When loss occurs in a guage the lastGaugeLoss is updated to the current block.timestamp.

    function notifyGaugeLoss(address gauge) external {
        require(msg.sender == profitManager, "UNAUTHORIZED");

        // save gauge loss
        lastGaugeLoss[gauge] = block.timestamp;
        emit GaugeLoss(gauge, block.timestamp);

In the getRewards function when users try to redeem their stake the userStake.lastGuageLoss is not initialized as a result it will be zero forever.

    function getRewards(
        address user,
        address term
    )
        public
        returns (
            uint256 lastGaugeLoss, // GuildToken.lastGaugeLoss(term)
            UserStake memory userStake, // stake state after execution of getRewards()
            bool slashed // true if the user has been slashed
        )
    {
        bool updateState;
        lastGaugeLoss = GuildToken(guild).lastGaugeLoss(term);
        if (lastGaugeLoss > uint256(userStake.lastGaugeLoss)) {
            slashed = true;
        }

The condition If the lastGuageLoss is > userStake.lastGaugeLoss will always evaluate to true because the userStake was never initialized, setting the slashed to true, if slashed is set to true users won't be able to redeem guild rewards

https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/loan/SurplusGuildMinter.sol#L253-L256

            if (slashed) {
                guildReward = 0;
            }

Impact

Users will lose their stake/rewards

Tools Used

Manual Review

Recommended Mitigation Steps

The state of userStake should be read before comparison. userStake = _stakes[user][term];

Assessed type

Context