New user is able to gain ALL rewards since protocol launch #1211
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
duplicate-1194
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Comments
c4-bot-1
added
3 (High Risk)
|
0xSorryNotSorry marked the issue as sufficient quality report |
c4-pre-sort
added
the
sufficient quality report
|
0xSorryNotSorry marked the issue as primary issue |
c4-pre-sort
added
the
primary issue
This was referenced Jan 1, 2024
Closed
Closed
Closed
This was referenced Jan 2, 2024
This was referenced Jan 3, 2024
|
#1194 (marked as duplicate to this issue) contains a test that can be run to confirm Disputing severity (think it's more fit for medium because there is no loss of user funds, just rewards) |
|
eswak (sponsor) confirmed |
c4-sponsor
added
the
sponsor confirmed
|
eswak marked the issue as disagree with severity |
c4-sponsor
added
the
disagree with severity
|
Trumpero marked the issue as satisfactory |
c4-judge
added
the
satisfactory
|
Trumpero marked issue #1194 as primary and marked this issue as a duplicate of 1194 |
c4-judge
added
duplicate-1194
and removed
primary issue
|
I still consider this issue a high severity because the rewards in ProfitManager are matured yield, which should be distributed to the intended users, and the loss of matured yield is considered a high-severity issue based on C4's criteria. @eswak |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-12-ethereumcreditguild/blob/2376d9af792584e3d15ec9c32578daa33bb56b43/src/governance/ProfitManager.sol#L409-L436
Vulnerability details
Gauge rewards in ECG are similar to Compound - there is a global ever-increasing profit index, and one profit index per user, synchronized by applying the delta between
gaugeProfitIndexanduserGaugeProfitIndex.When user profit index is not initialized, it's set to 1e18. This is an issue when the ProfitManager operates for some time and the gaugeProfitIndex grew to a new value. Then we have following situation:
gaugeProfitIndex = 1.2e18User just joined, userGaugeProfitIndex is set to
1e18. Hence He's elligible to all rewards since gauge started operating.The problem is even worse if the Guild token transfer are enabled. Then a malicious actor can use sybil accounts and claim all the rewards of other users to themselves.
Impact
All rewards are stolen by sybil accounts, able to claim all rewards since the protocol launch.
Proof of Concept
gaugeProfitIndexto grow.GuildToken.incrementGauge(). From a new account. This will internally callProfitManager.claimGaugeRewards().Tools Used
Manual analysis
Recommended Mitigation Steps
In case that the user doesn't have index assigned, assign it to current gauge profit index and return from the function early:
function claimGaugeRewards( address user, address gauge ) public returns (uint256 creditEarned) { uint256 _userGaugeWeight = uint256( GuildToken(guild).getUserGaugeWeight(user, gauge) ); if (_userGaugeWeight == 0) { return 0; } uint256 _gaugeProfitIndex = gaugeProfitIndex[gauge]; uint256 _userGaugeProfitIndex = userGaugeProfitIndex[user][gauge]; if (_gaugeProfitIndex == 0) { _gaugeProfitIndex = 1e18; } if (_userGaugeProfitIndex == 0) { - _userGaugeProfitIndex = 1e18; + userGaugeProfitIndex[user][gauge] = _gaugeProfitIndex; + return 0;Assessed type
Math
The text was updated successfully, but these errors were encountered: