You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.
sherlock-admin opened this issue
Mar 28, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Users lose premium gained when enrolled to mintRollovers
Summary
mintRollovers function in Carousel.sol is used to invest the winnings of one epoch into another epoch. The user must enlist into the system, which creates a QueueItem struct for the user, storing their position details. This function however does not take into account the change in the user's balance due to the premium earned, and only re-invests the old amount, losing the users premium.
Vulnerability Detail
mintRollovers is used to re-invest earnings from one epoch into another. It does this in a series of steps shown in the following steps.
First, it does some checks to make sure the user has won the epoch, and has enough funds to cover relayer fees.
if (queue[index].assets < relayerFee) {
index++;
continue;
}
Next, it withdraws both the assets and the emissions, burning the positions.
The code however never updates the value of queue[index].assets to reflect the new value after previous epoch ended. So the protocol only reinvests the old amount, which doesnt include the premium amount, and thus the end user loses all premium earnings. These earnings are sent to the carousel contract when the position is burnt, but they are never transferred out to the end user.
Update the value of queue[index].assets to reflect premium earned. The new value is already calculated and stored in the entitledShares variable, so a simple assignment before re-investing is enough.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
carrot
high
Users lose premium gained when enrolled to
mintRollovers
Summary
mintRollovers
function in Carousel.sol is used to invest the winnings of one epoch into another epoch. The user must enlist into the system, which creates aQueueItem
struct for the user, storing their position details. This function however does not take into account the change in the user's balance due to the premium earned, and only re-invests the old amount, losing the users premium.Vulnerability Detail
mintRollovers
is used to re-invest earnings from one epoch into another. It does this in a series of steps shown in the following steps.First, it does some checks to make sure the user has won the epoch, and has enough funds to cover relayer fees.
Next, it withdraws both the assets and the emissions, burning the positions.
It transfers out only the emissions, and then re-invests the assets (after deducting relayer fee) into another epoch.
The code however never updates the value of
queue[index].assets
to reflect the new value after previous epoch ended. So the protocol only reinvests the old amount, which doesnt include the premium amount, and thus the end user loses all premium earnings. These earnings are sent to the carousel contract when the position is burnt, but they are never transferred out to the end user.Impact
User unable to earn premium.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L361-L459
Tool used
Manual Review
Recommendation
Update the value of
queue[index].assets
to reflect premium earned. The new value is already calculated and stored in theentitledShares
variable, so a simple assignment before re-investing is enough.queue[index].assets = entitledShares;
Duplicate of #163
The text was updated successfully, but these errors were encountered: