Platform: Code4rena
Start Date: 28/09/2023
Pot Size: $36,500 USDC
Total HM: 5
Participants: 115
Period: 6 days
Judge: 0xDjango
Total Solo HM: 1
Id: 290
League: ETH
Rank: 102/115
Findings: 1
Award: $4.37
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Bauchibred
Also found by: 0x3b, 0xDetermination, 0xMosh, 0xScourgedev, 0xTheC0der, 0xTiwa, 0xWaitress, 0xdice91, 0xfusion, 0xpiken, 0xprinc, 0xweb3boy, ArmedGoose, Aymen0909, Breeje, Brenzee, Daniel526, DavidGiladi, DeFiHackLabs, Flora, Fulum, HChang26, Hama, IceBear, J4X, Krace, KrisApostolov, Maroutis, Mirror, MohammedRizwan, Norah, PwnStars, SPYBOY, TangYuanShen, Testerbot, ThreeSigma, Tricko, al88nsk, alexweb3, ast3ros, berlin-101, bin2chen, blutorque, btk, d3e4, deth, e0d1n, ether_sky, ge6a, gkrastenov, glcanvas, hals, imare, inzinko, jkoppel, jnforja, joaovwfreire, josephdara, kutugu, lotux, lsaudit, mahdirostami, merlin, n1punp, nadin, neumo, nisedo, nobody2018, oakcobalt, orion, peanuts, pep7siup, pina, ptsanev, rokinot, rvierdiiev, said, santipu_, sashik_eth, seerether, squeaky_cactus, terrancrypt, tonisives, twicek, vagrant, xAriextz, y4y
4.3669 USDC - $4.37
User's prime token may be burnt if the user has previously staked some XVS tokens, and later is directly issued a revocable prime token.
Suppose Bob wants to join the program and he has already deposited 900 XVS tokens to the vault. Then for some reason, the admin decide to award Bob by directly issuing a Prime token to him without notifying Bob. Now, Bob has the Prime token, and tokens[Bob].exists would return true. However, Bob continues to
deposit 50 XVS token to the vault unknowingly, and it triggers the Prime::XVSUpdated() function, in the function:
function xvsUpdated(address user) external { uint256 totalStaked = _xvsBalanceOfUser(user); bool isAccountEligible = isEligible(totalStaked); if (tokens[user].exists && !isAccountEligible) { if (tokens[user].isIrrevocable) { _accrueInterestAndUpdateScore(user); } else { _burn(user); } } else if (!isAccountEligible && !tokens[user].exists && stakedAt[user] > 0) { stakedAt[user] = 0; } else if (stakedAt[user] == 0 && isAccountEligible && !tokens[user].exists) { stakedAt[user] = block.timestamp; } else if (tokens[user].exists && isAccountEligible) { _accrueInterestAndUpdateScore(user); } }
since Bob doesn't have 1000 XVS tokens already, isAccountEligble would be false, and since Bob's Prime token is revocable, the _burn(user) line will be executed, which cause Bob to lose his newly received Prime token. Bob can still claim another Prime token later once the required staked amount is met, but he would have to wait another 90 days to do so. Causing him to lose potential interests and rewards.
Manual review.
Add an additional attribute like directlyIssued for tokens are issued by issue function to users.
Context
#0 - c4-pre-sort
2023-10-06T22:12:58Z
0xRobocop marked the issue as duplicate of #485
#1 - c4-judge
2023-10-31T17:56:54Z
fatherGoose1 changed the severity to QA (Quality Assurance)