#37889 [SC-High] Underflow in `burn()` function will cause user funds to partially frozen

Submitted on Dec 18th 2024 at 10:46:52 UTC by @ruhum for Audit Comp | Folks: Liquid Staking

• Report ID: #37889

• Report Type: Smart Contract

• Report severity: High

• Target: https://github.com/Folks-Finance/algo-liquid-staking-contracts/blob/8bd890fde7981335e9b042a99db432e327681e1a/contracts/xalgo/consensus_v2.py

• Impacts:

  • Permanent freezing of funds

Description

Brief/Intro

In burn(), the contract subtracts the amount of ALGO to send from the total_active_stake_key. The amount of ALGO can be bigger than total_active_stake_key causing an underflow.

Vulnerability Details

In burn() it subtracts the amount of ALGO that's sent to the user from total_active_stake_key:

App.globalPut(total_active_stake_key, App.globalGet(total_active_stake_key) - algo_to_send.load()),

total_active_stake_key is the sum of all the ALGO deposits made by users. When the user redeems their xALGO they get a little more ALGO back than they initially deposited because of the rewards earned by the proposers. That surplus amount of ALGO is not included in total_active_stake_key causing the total xALGO converted to ALGO to be bigger than total_active_stake_key which in turn will cause an underflow in certain situations.

algo_to_send is calculated as:

Here, algo_balance is the total ALGO balance of the proposers (deposits + rewards).

This only applies to very large depositors or the last users to redeem their xALGO.

Impact Details

A small subset of user funds will be frozen and not recoverable.

References

https://github.com/Folks-Finance/algo-liquid-staking-contracts/blob/8bd890fde7981335e9b042a99db432e327681e1a/contracts/xalgo/consensus_v2.py#L824

Proof of Concept

Proof of Concept

Following test can be copied into xAlgoConsensusV2.test.ts under describe("burn"):