Back to Vagner's contests

Ajna Protocol - Vagner's results

A peer to peer, oracleless, permissionless lending protocol with no governance, accepting both fungible and non fungible tokens as collateral.

General Information

Platform: Code4rena

Start Date: 03/05/2023

Pot Size: $60,500 USDC

Total HM: 25

Participants: 114

Period: 8 days

Judge: Picodes

Total Solo HM: 6

Id: 234

League: ETH

Ajna Protocol

Findings Distribution

Researcher Performance

Rank: 14/114

Findings: 1

Award: $845.55

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAjna Protocol

Findings Information

🌟 Selected for report: Haipls

Also found by: Koolex, Vagner

Labels

bug
3 (High Risk)
satisfactory
sponsor confirmed
upgraded by judge
duplicate-440

Awards

845.5499 USDC - $845.55

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/RewardsManager.sol#L534-L551

Vulnerability details

Impact

The function _calculateNewRewards from RewardsManager.sol could revert all the time, under certain conditions, because of an overflow, making the function claimRewards , moveStakedLiquidity and unstake unusable since they all use somehow _claimRewards which in the end calls _calculateNewRewards.

Proof of Concept

The function _calculateNewRewards gets called in the end everytime _claimRewards gets called, which happens in the functions claimRewards, moveStakedLiquidity, unstake. This function calls _getPoolAccumulators to get totalBurnedInPeriod and totalInterestEarnedInPeriod. https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/RewardsManager.sol#L526-L532 Then it uses these 2 variables to calculate newRewards_ and rewardsCapped, which are then used into an if statement. https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/RewardsManager.sol#L546-L550 newRewards_ variable can be $0$ in the case where totalInterestEarnedInPeriod is $0$ https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/RewardsManager.sol#L535-L541 In the case where newRewards_ will be $0$ and rewardsCapped will be greater than $0$ the if statement will be

if (rewardsClaimedInEpoch_ + 0 > rewardsCapped) {
            newRewards_ = rewardsCapped - rewardsClaimedInEpoch_;
        }

which means that every time that the if statement will be true the subtraction will revert since it will overflow, rewardsCapped being less than rewardsClaimedInEpoch_ . This means that if a user have the totalInterestEarnedInPeriod $0$ but the totalBurnedInPeriod greater than $0$ the subtraction under the if statement could revert making claimRewards , moveStakedLiquidity and unstake reverting as well.

Tools Used

Manual audit

Take into consideration this specific case since that could make most of the rewards mechanics for an user break.

Assessed type

Under/Overflow

#0 - c4-sponsor

2023-05-19T19:01:23Z

MikeHathaway marked the issue as sponsor confirmed

#1 - c4-judge

2023-05-31T13:58:23Z

Picodes marked the issue as satisfactory

#2 - c4-judge

2023-05-31T13:59:42Z

Picodes marked the issue as duplicate of #440

#3 - c4-judge

2023-06-03T13:14:12Z

Picodes changed the severity to 3 (High Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter