29190 - [SC - Insight] Permanent freezing of up to wei of yield each ...

Submitted on Mar 10th 2024 at 01:46:37 UTC by @nethoxa for Boost | ZeroLend

Report ID: #29190

Report type: Smart Contract

Report severity: Insight

Target: https://github.com/zerolend/governance

Impacts:

• Permanent freezing of unclaimed yield

Description

Brief/Intro

Due to a rounding error when notifying a reward to LendingPoolGauge, up to 3 wei of the used token will be locked forever in the contract.

Vulnerability Details

It's well known Solidity rounds down on integer division. Because of that, in LendingPoolGauge::notifyRewardAmount, if the given amount is not divisible by 4, up to 3 wei of yield will be permanently locked in the contract as there is no way to take them back and the contract sends amount / 4 to the supplyGauge and amount / 4 * 3 to the borrowGauge:

    function notifyRewardAmount(
        address token,
        uint256 amount
    ) external returns (bool) {
        IERC20(token).safeTransferFrom(msg.sender, address(this), amount);

        // send 1/4 to the supply side
        IERC20(token).approve(address(supplyGauge), amount);
        bool a = supplyGauge.notifyRewardAmount(token, amount / 4);

        // send 3/4th to the borrow side
        IERC20(token).approve(address(borrowGauge), amount);
        bool b = borrowGauge.notifyRewardAmount(token, (amount / 4) * 3); // @audit rounding, yield lost forever

        return a && b;
    }

It may not be a high amount for tokens with high decimals, but for other tokens like USDC (6 decimals) or a variant of EURO which I do not remember, but had 2 decimals, it can be a significant loss of yield.

Impact Details

Vanilla loss of yield, permanent as there is no way to take them back.

Proof of Concept

The runnable POC is the next one: