Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: claimIncentiveFor Might Lead To Loss Of Funds For CGDA Incentive #134

Open
1 task done
Quazia opened this issue Sep 30, 2024 · 0 comments
Open
1 task done

fix: claimIncentiveFor Might Lead To Loss Of Funds For CGDA Incentive #134

Quazia opened this issue Sep 30, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@Quazia
Copy link
Member

Quazia commented Sep 30, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Package Version

0.0.0-alpha.12

Current Behavior

Summary
The protocol has introduces a functionality to claim an incentive for other claimants , this would require data for the claim and according to the sponsor (asked in thread) -> Signatures are available publicly by way of API , so this way I can claim for someone else , it's a neat feature but for CGDA incentive can be disastrous.

Expected Behavior

No response

Steps To Reproduce

Scrawny Mustard Tadpole

High

claimIncentiveFor Might Lead To Loss Of Funds For CGDA Incentive
Summary
The protocol has introduces a functionality to claim an incentive for other claimants , this would require data for the claim and according to the sponsor (asked in thread) -> Signatures are available publicly by way of API , so this way I can claim for someone else , it's a neat feature but for CGDA incentive can be disastrous.

Vulnerability Detail
1.) Alice completes an action and for this action the incentive was a CGDAIncentive , the off chain mechanism verifies that Alice has performed the action successfully and grants her the claim , the claim as mentioned Signatures are available publicly by way of API

2.) Alice has a valid claim now for the CGDAIncentive , but she wants to wait for some time to claim since CGDA is dependent on lastClaimTime and she wants to maximise her gains , she wants to wait for 5 more blocks.

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/incentives/CGDAIncentive.sol#L124

3.) Bob comes and claims the incentive for Alice earlier ->

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L164

He does it such that Alice would get lesser incentive due to uint256 timeSinceLastClaim = block.timestamp - cgdaParams.lastClaimTime; being smaller than Alice intended and hence the rewards sent would be lesser

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/incentives/CGDAIncentive.sol#L123-L130

4.) Alice lost her incentives , she wanted to claim after 5 blocks and make maximum gains , but Bob ruined her returns.

Impact
Alice will get way lesser incentives than intended due to Bob claiming on her behalf.

Code Snippet
https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L164

Tool used
Manual Review

Recommendation
Done let users cliam for other for such time dependent incentives.

Link to Minimal Reproducible Example (StackBlitz, CodeSandbox, GitHub repo etc.)

sherlock-audit/2024-06-boost-aa-wallet-judging#178

Anything else?

No response
@Quazia Quazia added the bug Something isn't working label Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Quazia