31435 - [SC - High] ALCX rewards arent claimed for from token when ...

Submitted on May 19th 2024 at 02:47:23 UTC by @OxAlix2 for Boost | Alchemix

Report ID: #31435

Report type: Smart Contract

Report severity: High

Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol

Impacts:

• Permanent freezing of unclaimed yield

• Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

In VotingEscrow::withdraw, the protocol is claiming the ALCX rewards before burning the token, which makes sense as the token will be burnt. However, this is not done when merging 2 tokens, this puts the ALCX rewards of the "from" token at risk of being stuck forever.

Vulnerability Details

When merging 2 tokens, token_1, and token_2, assume that token_1 has some unclaimed ALCX rewards, through the merge process token_1 will be burnt. So all these unclaimed ALCX will remain stuck forever as RewardsDistributor::claim will revert on the following:

require(approvedOrOwner || isVotingEscrow, "not approved");

because the token doesn't exist anymore.

Impact Details

ALCX rewards that were accumulated for the "from" token will remain unclaimable/stuck forever after the merge process.

References

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol#L618-L651

Mitigation

Add the following in VotingEscrow::merge:

Proof of concept