31008 - [SC - High] Alcx rewards are permanently frozen when two to...

Submitted on May 10th 2024 at 19:51:14 UTC by @Adrianx for Boost | Alchemix

Report ID: #31008

Report type: Smart Contract

Report severity: High

Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol

Impacts:

• Permanent freezing of unclaimed yield

Description

Brief/Intro

Alcx rewards are not claimed before burning the merged token, which leads to a permanent freezing of unclaimed Alcx rewards.

Vulnerability Details

When two tokens are merged, the from token is burnt but the unclaimed alcx rewards of the from token are not claimed before burning it. This causes the unclaimed alcx rewards of the from token to be permanently frozen when the token is burnt.

        IFluxToken(FLUX).mergeFlux(_from, _to);

        // If max lock is enabled end is the max lock time, otherwise it is the greater of the two end times
        uint256 end = _locked1.maxLockEnabled
            ? ((block.timestamp + MAXTIME) / WEEK) * WEEK
            : _locked0.end >= _locked1.end
            ? _locked0.end
            : _locked1.end;

        locked[_from] = LockedBalance(0, 0, false, 0);
        _checkpoint(_from, _locked0, LockedBalance(0, 0, false, 0));
        _burn(_from, value0);
        _depositFor(_to, value0, end, _locked1.maxLockEnabled, _locked1, DepositType.MERGE_TYPE);

As seen above, the alcx rewards are not claimed before burning the merged token. This leads to a permanent freezing of unclaimed rewards.

Impact Details

Alcx rewards are permanently frozen when the from tokens are burnt during token merging.

References

https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L649

Proof of Concept

Add the test below to VotingEscrow.t.sol and check the logs to see the frozen rewards.