31435 - [SC - High] ALCX rewards arent claimed for from token when ...
Previous31430 - [SC - Insight] QANext31443 - [SC - Insight] Incorrect values of votingDelay and votingPerio...
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on May 19th 2024 at 02:47:23 UTC by @OxAlix2 for
Report ID: #31435
Report type: Smart Contract
Report severity: High
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol
Impacts:
Permanent freezing of unclaimed yield
Contract fails to deliver promised returns, but doesn't lose value
In VotingEscrow::withdraw, the protocol is claiming the ALCX rewards before burning the token, which makes sense as the token will be burnt. However, this is not done when merging 2 tokens, this puts the ALCX rewards of the "from" token at risk of being stuck forever.
When merging 2 tokens, token_1, and token_2, assume that token_1 has some unclaimed ALCX rewards, through the merge process token_1 will be burnt. So all these unclaimed ALCX will remain stuck forever as RewardsDistributor::claim will revert on the following:
because the token doesn't exist anymore.
ALCX rewards that were accumulated for the "from" token will remain unclaimable/stuck forever after the merge process.
https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/VotingEscrow.sol#L618-L651
Add the following in VotingEscrow::merge: