Back to mrvincere's contests

Ajna Protocol - mrvincere's results

A peer to peer, oracleless, permissionless lending protocol with no governance, accepting both fungible and non fungible tokens as collateral.

General Information

Platform: Code4rena

Start Date: 03/05/2023

Pot Size: $60,500 USDC

Total HM: 25

Participants: 114

Period: 8 days

Judge: Picodes

Total Solo HM: 6

Id: 234

League: ETH

Ajna Protocol

Findings Distribution

Researcher Performance

Rank: 113/114

Findings: 1

Award: $15.58

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAjna Protocol

Findings Information

🌟 Selected for report: aviggiano

Also found by: 0xSmartContract, 0xTheC0der, 0xcm, ABAIKUNANBAEV, Audinarey, Audit_Avengers, BGSecurity, Bauchibred, Dug, Evo, Haipls, Jerry0x, TS, bytes032, devscrooge, kenta, ladboy233, mrvincere, patitonar, sakshamguruji, tsvetanovv

Awards

15.5756 USDC - $15.58

Labels

bug
3 (High Risk)
satisfactory
duplicate-251

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/RewardsManager.sol#L815

Vulnerability details

Impact

Whenever a user Stakes their NFT , they are awarded reward in Ajna Tokens for Updating Bucket Exchange Rate as well as interest earned by keeping their NFT in the contract . While reviewing the RewardsManager.sol , the function _transferAjnaRewards caught my attention. The problem is

if (rewardsEarned_ > ajnaBalance) rewardsEarned_ = ajnaBalance; , as it completely destroys the additiona extra reward tokens if the reward token exceeds the current ajnaBalance.

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/RewardsManager.sol#L815

This can lead to griefing attacks where user's loose parts of their reward tokens as some malicious actor spreads some news and because of the impact of the news, everyone starts calling the contract at the same time to withdraw their rewards and NFTs .

Proof of Concept

  1. Alice, John, and Caren and some 1000 more users have staked their NFT to the contract for a long time let's say 2 years or even more. They expect that they will get a huge amount of rewards from interest of Staking .
  2. A Malicious actor Kevin has also staked his multiple NFT to the contract from a short time. He knows that he will get some good reward in tokens but his intentions are not about the rewards but to harm other users and cause their loss of reward.
  3. What Kevin does is, He starts spreading fake news that the Ajna Contract will come to an end or maybe is closing or something.
  4. All the user's start panicking as they fear that they will loose their NFT as well as Token Rewards.
  5. All of them starts calling cliam() function to withdraw their rewards( through unstake() ).
  6. Because of this, there comes a surge in reward claims as all users are simultaneously claiming the rewards.
  7. Because of this, the ajnaBalance decreases and multiple users with huge rewards will start getting lose of rewards as if the rewardsEarned_ > ajnaBalance then rewardsEarned = ajnaBalance and all the remaining balance of rewardsEarned get's lost.

Tools Used

Manual Analysis

It will be better if there is a check before calling the _transferAjnaRewards() to check for ajnaBalance and if it is less than rewardsEarned, the function does not get's called .

Another remediation would be to handle the rewardsEarned_ = ajnaBalance; with a different logic to prevent the reward tokens loss of users.

Assessed type

Other

#0 - c4-judge

2023-05-12T10:34:46Z

Picodes marked the issue as duplicate of #361

#1 - c4-judge

2023-05-29T20:57:56Z

Picodes marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter