Rewards distribution can be delayed/never distributed on AuraLocker.sol#L848 #1
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/aurafinance/aura-contracts-lite/blob/main/contracts/AuraLocker.sol#L848
Vulnerability details
Rewards distribution can be delayed/never distributed on AuraLocker.sol#L848
Issue
Someone malicious can delay the rewards distribution for non
cvxCrv
tokens distributed on AuraLocker.sol.1: Attacker will send one wei of token that are distributed on the AuraLocker.sol to AuraStakingProxy.
2: Attacker will call distributeOther.
The function will call notifyRewardAmount that calls _notifyReward
When calling _notifyReward the rewards left to distribute over the 7 days are redistributed throughout a new period starting immediately.
Example: If the reward rate is 1 token (10**18) per second and 3.5 days are left (302400 seconds), we get a leftover of 302400 tokens. this is then divided by 604800, the reward rate is now 0.5 and the user of the protocol will have to wait one week for tokens that were supposed to be distributed over 3.5 days. This can be repeated again and again so that some rewards are never distributed.
Suggestion
I can see that queueNewRewards has some protective mechanism. A new period is started only if the token that is added on top of the already distributed tokens during the duration is over 120%.
I suggest adding a similar check to queueNewRewards
The text was updated successfully, but these errors were encountered: