This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
xiaoming90 - Claimed tokens obtained during the burning of DV shares are overwritten #618
Comments
github-actions
bot
added
High
sherlock-admin2
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
xiaoming90
high
Claimed tokens obtained during the burning of DV shares are overwritten
Summary
The reward tokens claimed while burning DV shares are overwritten, resulting in the loss of reward tokens for the users.
Vulnerability Detail
When withdrawing the base assets via the
withdrawBaseAssetfunction in Line 487 below, it will burn the DV shares internally. When the DV shares are burned, the DV rewards will be automatically redeemed and transferred to this contract. This was also highlighted in the source code's comment on Line 485 below.Assume the LMPVault only has one DV, and the states are as follows at this point.
The
DV.withdrawBaseAssetfunction is executed at this point, and the function returns 103 WETH.The
_baseAsset.balanceOf(address(this)) - assetPreBal - assetPulledwill compute the reward tokens received and add the amount to theinfo.idleIncrease.Assume that
_baseAsset.balanceOf(address(this)) - assetPreBalis 110 WETH. The reward tokens received will be 7 WETH (110 - 103) as shown below.The
info.idleIncreasewill be incremented to 7 WETH to account for the reward tokens received.At Line 488, the
info.totalAssetsPulledwill be incremented by103WETH.The states at this point will be as follows:
At Line 493 below, since
info.totalAssetsPulled > info.totalAssetsToPull(103 > 100) is true, theinfo.idleIncreasewill be set to 3 WETH.As shown above, the 7 WETH reward tokens were initially collected and recorded in the
info.idleIncreasevariable has been overwritten and cleared. Thus, the reward tokens are lost.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVault.sol#L482
Impact
Loss of reward tokens.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVault.sol#L482
Tool used
Manual Review
Recommendation
The extra tokens collected when burning the DV shares and swaps should be incremented to
info.idleIncreaseinstead of overwriting it.uint256 assetPreBal = _baseAsset.balanceOf(address(this)); uint256 assetPulled = destVault.withdrawBaseAsset(sharesToBurn, address(this)); // Destination Vault rewards will be transferred to us as part of burning out shares // Back into what that amount is and make sure it gets into idle info.idleIncrease += _baseAsset.balanceOf(address(this)) - assetPreBal - assetPulled; info.totalAssetsPulled += assetPulled; info.debtDecrease += totalDebtBurn; // It's possible we'll get back more assets than we anticipate from a swap // so if we do, throw it in idle and stop processing. You don't get more than we've calculated if (info.totalAssetsPulled > info.totalAssetsToPull) { - info.idleIncrease = info.totalAssetsPulled - info.totalAssetsToPull; + info.idleIncrease += info.totalAssetsPulled - info.totalAssetsToPull; info.totalAssetsPulled = info.totalAssetsToPull; break; }Using the same example, if the above changes are implemented, 3 WETH will be added to the
info.idleIncreasethat already contains 7 WETH. In the end, it will correctly account for all the extra 10 WETH.Duplicate of #5
The text was updated successfully, but these errors were encountered: