Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

hickuphh3 - Stuck emissions for nullified epochs #122

Open
sherlock-admin opened this issue Mar 27, 2023 · 3 comments
Open

hickuphh3 - Stuck emissions for nullified epochs #122

sherlock-admin opened this issue Mar 27, 2023 · 3 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin
Copy link
Contributor

hickuphh3

medium

Stuck emissions for nullified epochs

Summary

If either the premium and / or collateral vault has 0 TVL for an epoch with emissions, those emissions will not be withdrawable by anyone.

Vulnerability Detail

The finalTVL set for a vault with 0 TVL (epoch will be nullified) will be 0. As a result, emissions that were allocated to that vault are not withdrawable by anyone.

It's admittedly unlikely to happen since the emissionsToken is expected to be Y2K which has value and is tradeable.

Impact

Emissions cannot be recovered.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L157
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L630-L636

Tool used

Manual Review

Recommendation

Create a function to send emissions back to the treasury if an epoch is marked as nullified.

A related issue is that if both the premium and collateral vaults have 0 TVL, only the collateral vault gets marked as nullified. Consider handling this edge case.

@3xHarry
Copy link

3xHarry commented Apr 5, 2023

great catch

3xHarry added a commit to Y2K-Finance/Earthquake that referenced this issue Apr 10, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
@3xHarry
Copy link

3xHarry commented Apr 11, 2023

fix PR: Y2K-Finance/Earthquake#139

@3xHarry 3xHarry added the Will Fix The sponsor confirmed this issue will be fixed label Apr 28, 2023
@IAm0x52
Copy link
Collaborator

IAm0x52 commented May 5, 2023

Fix looks good. setEpochNull is overridden in Carousel to transfer emissions back to treasury

3xHarry added a commit to Y2K-Finance/Earthquake that referenced this issue May 8, 2023
3xHarry added a commit to Y2K-Finance/Earthquake that referenced this issue May 8, 2023
	# No commands remaining.
	# You are currently rebasing branch 'sherlock-fix-14' on 'e9f0d69'.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Development

No branches or pull requests

3 participants