31258 - [SC - High] Loss of Unclaimed Bribes After Burning veALCX T...
Previous31253 - [SC - Critical] RevenueHandlercheckpoint isnt correctlyNext31263 - [SC - Critical] RevenueHandlercheckpoint counts unclaimed rewar...
Last updated
Last updated
Submitted on May 15th 2024 at 21:09:32 UTC by @Limbooo for
Report ID: #31258
Report type: Smart Contract
Report severity: High
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol
Impacts:
Permanent freezing of unclaimed yield
This report details a vulnerability discovered in the VotingEscrow.sol contract of the Alchemix V2 DAO. The issue arises when users withdraw their locked veALCX tokens. During this process, unclaimed rewards are intended to be claimed, but the system fails to account for the potential bribes earned through voting interactions. Consequently, users who withdraw their veALCX tokens lose their right to claim these bribes, leading to permanent loss of rewards.
When a user withdraws their locked veALCX tokens (interacting with VotingEscrow::withdraw), the contract ensures that any unclaimed ALCX rewards and FLUX are claimed before the token is burned, resulting in the user losing their control over the token as they are no longer its owner.
While this procedure is generally acceptable, an issue arises when the user has interacted with the Voter contract and voted for pools (the user may have used their FLUX to boost their votes). The bribes earned from these votes will be lost if the user withdraws their token and subsequently attempts to claim their bribes. This is because Voter::claimBribes checks the ownership status of the token, and after the token is burned, the user is no longer considered its owner, preventing them from claiming their rewards.
The primary impact of this vulnerability is the permanent loss of bribes for users who withdraw their veALCX tokens. This occurs because the ownership check in the Voter::claimBribes function fails after the token is burned. Consequently, users are unable to claim rewards they have rightfully earned, leading to dissatisfaction and potential loss of trust in the protocol.
To mitigate this issue, it is recommended to enhance the withdrawal process to ensure that there are no unclaimed bribes before allowing the token to be burned. Here are a few suggested approaches:
Prevent Withdrawal if Bribes are Unclaimed: Implement a check in the VotingEscrow::withdraw function to prevent the withdrawal if there are unclaimed bribes. This ensures that users must claim their bribes before they can withdraw and burn their veALCX tokens.
Force Bribe Claiming During Withdrawal: Similar to how unclaimed ALCX rewards and FLUX are claimed during withdrawal, modify the withdrawal process to enforce the claiming of any unclaimed bribes. This would involve adding logic to claim bribes within the withdraw function, ensuring users receive all due rewards before their token is burned.
New Restriction of ClaimBribes Function: A new layer of security replaces the current check, could involve restricting who can call the Voter::claimBribes function to ensure that only valid claims are processed. However, this might be less effective than ensuring bribes are claimed during the withdrawal process. Also, it may has some drawbacks and establish a new way to manipulate the flow of voter contract specialty for cases like this issue where the veALCX is burned or ended (I remember proofing a vulnerability and it was prevent by the check of ownabilty of the token in claimBribes).
VotingEscrow.sol#L737-L775: https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L737-L775
VotingEscrow.sol#L1558-L1575: https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/VotingEscrow.sol#L1558-L1575
Voter.sol#L331-L339: https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/Voter.sol#L331-L339
The test can be added to a new file under the current test suite src/test/VotingPoC.t.sol, then specify the file name in FILE flag under Makefile configuration. Run using make test_file