Light
DarkOne Bug Per Day
One H/M every day from top Wardens
Join over 1090 wardens!
Receive the email at any hour!
LP unwrap / wrap is fully broken if master chef contract has insufficient reward token and block decollateralize wlp and wlp liquidation
mediumLines of code
https://github.com/code-423n4/2024-01-init-capital-invitational/blob/a01c4de620be98f9e57a60cf6a82d4feaec54f58/contracts/wrapper/WLpMoeMasterChef.sol#L145 https://github.com/code-423n4/2024-01-init-capital-invitational/blob/a01c4de620be98f9e57a60cf6a82d4feaec54f58/contracts/core/InitCore.sol#L284
Vulnerability details
Impact
LP unwrap / wrap is fully broken if master chef contract has insufficient reward token
Proof of Concept
we need to take a look at the external master chef contract that is not in the control of the init captial protocol team
when deposit / withdraw / harvest / claim, this function _modify is called
which is this code
solidityif (moeReward > 0) _moe.safeTransfer(account, moeReward); if (address(extraRewarder) != address(0)) { extraRewarder.onModify(account, pid, oldBalance, newBalance, oldTotalSupply); }
as we can see, when deposit / withdraw / harvest, the pending reward is transferred from master chef contract to msg.sender (which is the lp wrapper contract)
when calling extraRewarder.onModify, the reward is transferred from extra rewarder to wrapper contract
But someone needs to transfer the moe token into the master chef to ensure there is sufficient reward token balance
someone needs to transfer the reward token into extraReward contract to ensure there is sufficient reward token balance
in case when there are insufficient reeward token in master chef contract and extraReward,
the code will revert
solidityif (moeReward > 0) _moe.safeTransfer(account, moeReward); if (address(extraRewarder) != address(0)) { extraRewarder.onModify(account, pid, oldBalance, newBalance, oldTotalSupply); }
suppose the reward accounting update is that the wlp contract is entitled to get 10000 moe token and 100 usdc token as extra reward
but in master chef there are only 9000 token,
attempint to transfer the 10000 moe token will revert
the impact is severe because this revert ,would block lp unwrap and block original lp owner attemps to decollateralize wlp
and make liquidation revert as well
Tools Used
Manual Review
Recommended Mitigation Steps
when regular withdraw failed,
the code should call emergencyWithdraw
this function does not claim reward, but at least this function can ensure withdraw wlp when decollateralize lp or liquidation transaction does not revert.
Assessed type
Token-Transfer