Platform: Code4rena
Start Date: 28/09/2023
Pot Size: $36,500 USDC
Total HM: 5
Participants: 115
Period: 6 days
Judge: 0xDjango
Total Solo HM: 1
Id: 290
League: ETH
Rank: 44/115
Findings: 2
Award: $129.33
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: deth
Also found by: 0xDetermination, 0xpiken, 3agle, Brenzee, Flora, HChang26, KrisApostolov, Satyam_Sharma, Testerbot, aycozynfada, berlin-101, gkrastenov, mahdirostami, merlin, rokinot, rvierdiiev, said, santipu_, sl1, tapir, twicek
124.9633 USDC - $124.96
https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L331-L359
stakedAt is not deleted for irrevocable token, in case if token will be burnt, then user will be able to mint revocable token instantly
It's possible that irrevocable token will be minted for user, who doesn't have revocable token yet. As you can see, in this case user's stakedAt time is not removed, as it is for revocable minting.
Also it's possible that any token will be burnt by dao. This function will also not remove stakedAt for user.
Because of that next situation is possible.
1.User staked needed amount of token and have waited 80 days.
2.For some reasons, irrevocable token was minted to him by dao and his stakedAt was not deleted.
3.After some long time his token was burnt by dao, but stakedAt is still old enough to mint new revocable token instantly.
4.User calls claim and don't need to wait additional 90 days to get revocable token.
VsCode
When burn irrevocable token, then set stakedAt to block.timestamp.
Error
#0 - c4-pre-sort
2023-10-05T00:02:17Z
0xRobocop marked the issue as duplicate of #633
#1 - c4-judge
2023-10-31T19:49:20Z
fatherGoose1 marked the issue as satisfactory
#2 - c4-judge
2023-11-05T00:50:32Z
fatherGoose1 changed the severity to 3 (High Risk)
🌟 Selected for report: Bauchibred
Also found by: 0x3b, 0xDetermination, 0xMosh, 0xScourgedev, 0xTheC0der, 0xTiwa, 0xWaitress, 0xdice91, 0xfusion, 0xpiken, 0xprinc, 0xweb3boy, ArmedGoose, Aymen0909, Breeje, Brenzee, Daniel526, DavidGiladi, DeFiHackLabs, Flora, Fulum, HChang26, Hama, IceBear, J4X, Krace, KrisApostolov, Maroutis, Mirror, MohammedRizwan, Norah, PwnStars, SPYBOY, TangYuanShen, Testerbot, ThreeSigma, Tricko, al88nsk, alexweb3, ast3ros, berlin-101, bin2chen, blutorque, btk, d3e4, deth, e0d1n, ether_sky, ge6a, gkrastenov, glcanvas, hals, imare, inzinko, jkoppel, jnforja, joaovwfreire, josephdara, kutugu, lotux, lsaudit, mahdirostami, merlin, n1punp, nadin, neumo, nisedo, nobody2018, oakcobalt, orion, peanuts, pep7siup, pina, ptsanev, rokinot, rvierdiiev, said, santipu_, sashik_eth, seerether, squeaky_cactus, terrancrypt, tonisives, twicek, vagrant, xAriextz, y4y
4.3669 USDC - $4.37
In case if contract has more token balance, then amount that is accrued by rewarders, then PrimeLiquidityProvider.getEffectiveDistributionSpeed function returns distributionSpeed.
However, it's possible that accrueTokens wasn't called for a long time for a token and as result remaining balance is distributed as well, but still not stored in tokenAmountAccrued[token_] variable. As result, function will show that token still accrues rewards, when it's not.
In order to show correct value, you need to call accrueTokens function before. But as this function is not view, that will unlikely be done.
#0 - c4-pre-sort
2023-10-07T02:10:46Z
0xRobocop marked the issue as low quality report