31071 - [SC - Critical] User can steal bribes and prevent other users f...
Submitted on May 12th 2024 at 08:42:33 UTC by @imsrybr0 for Boost | Alchemix
Report ID: #31071
Report type: Smart Contract
Report severity: Critical
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol
Impacts:
Theft of unclaimed yield
Description
Brief/Intro
User can steal bribes and prevent other users from claiming theirs.
Vulnerability Details
Voter@distribute
resets the total votes to 0 on the given Gauge
corresponding Bribe
and doesn't trigger a voting checkpoint. It also doesn't change the individual user balances and total supply causing Bribe
and Voter
to be out of sync until all previous voter vote again.
Additionally, Voter@claimBribes
triggers a checkpoint for the given token id.
Combined, they allow for situation where a user :
Votes in Epoch N
In Epoch N + 1 :
Does not vote.
Calls
Voter@claimBribes
to claim any bribes from Epoch N, triggering a checkpoint and activating rewards for this epoch (.i.e Epoch N + 1, claimable in Epoch N + 2).Calls
Voter@distribute
to reset total votes. Rewards will now be calculated based on new voters, but still distributed to everyone with a checkpoint.
User can keep claiming a share of bribes in future epochs at the expense of other voters.
Impact Details
The impact of this issue will vary based on the participating voters voting power and the pool allocations and can span from rewards being fully stolen to partially stolen and preventing all / some users from claiming theirs because of a lack of funds to cover their shares.
References
https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Voter.sol#L332-L380
https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Bribe.sol