Venus Prime - nisedo's results

Lines of code

https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/PrimeLiquidityProvider.sol#L274-L278 https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/PrimeLiquidityProvider.sol#L249-L272 https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/PrimeLiquidityProvider.sol#L286-L301

Vulnerability details

Vulnerability Details

The PrimeLiquidityProvider.accrueTokens() and PrimeLiquidityProvider._initializeToken() functions rely on block.number for calculating token accruals and initializing token distributions. This approach can lead to inconsistent behavior when deployed on Layer 2 solutions like Arbitrum or Optimism (opBNB), where block.number doesn't operate the same way as it does on Ethereum mainnet.

getBlockNumber():

function getBlockNumber() public view virtual returns (uint256) {
    return block.number; //@audit-issue block.number means different things on different L2s	
}

For PrimeLiquidityProvider.accrueTokens():

uint256 blockNumber = getBlockNumber();
uint256 deltaBlocks = blockNumber - lastAccruedBlock[token_];

For PrimeLiquidityProvider._initializeToken():

uint256 blockNumber = getBlockNumber();
uint256 initializedBlock = lastAccruedBlock[token_];

Impact

• Inconsistent Behavior: The functions may not work as intended when deployed on Layer 2 solutions, affecting the token accrual and distribution mechanisms.
• Exploitability: Malicious actors may exploit the varying behaviors of block.number on different platforms to manipulate token accrual or initialization.

Tools Used

• Manual review
• Solodit

Recommended Mitigation Steps

Use block.timestamp: Consider using block.timestamp instead of block.number to measure the time between actions, as block.timestamp is more consistent across different blockchains.

Assessed type

Other