Last updated
Was this helpful?
Submitted on Mar 6th 2024 at 01:38:00 UTC by @Trust for
Report ID: #29059
Report type: Smart Contract
Report severity: Medium
Target: https://github.com/zerolend/governance
Impacts:
Theft of unclaimed yield
Holders of VestedZeroNFT tokens can lock them in exchange for boosted rewards through the StakingBonus contract.
When transferring tokens into StakingBonus, it's onERC721Received() function determines the bonus amount. If there's insufficient funds for the bonus, it sets bonus to zero.
The lock is set for four years:
Suppose there's 100 Zero remaining as bonus in the contract, the bonus % is 50%, and two NFT holders of 200 Zero pending wish to lock for the bonus. They will both see there's enough bonus and transfer their NFT. In fact, there is a race condition - only the first one which is executed will receive the bonus. Because of the architecture of blockchains, there's literally no way to know if the user's call will be frontrun, therefore it is not the fault of the user.
The data passed to onERC721Received() should include a minBonus amount, to prevent slippage (i.e. lack of bonus) being suffered by the user.
A user will lock their tokens for 4 years unnecessarily, so they suffer from an unwanted freeze for lack of rewards.
We have modified the test in StakingBonus.test.ts to show the issue:
