This repository has been archived by the owner on May 26, 2023. It is now read-only.
obront - Users who deposit extra funds into their Ichi farming positions will lose all their ICHI rewards #158
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
obront
high
Users who deposit extra funds into their Ichi farming positions will lose all their ICHI rewards
Summary
When a user deposits extra funds into their Ichi farming position using
openPositionFarm()
, the old farming position will be closed down and a new one will be opened. Part of this process is that their ICHI rewards will be sent to theIchiVaultSpell.sol
contract, but they will not be distributed. They will sit in the contract until the next user (or MEV bot) callsclosePositionFarm()
, at which point they will be stolen by that user.Vulnerability Detail
When Ichi farming positions are opened via the
IchiVaultSpell.sol
contract,openPositionFarm()
is called. It goes through the usual deposit function, but rather than staking the LP tokens directly, it callswIchiFarm.mint()
. This function deposits the token into theichiFarm
, encodes the deposit as an ERC1155, and sends that token back to the Spell:The resulting ERC1155 is posted as collateral in the Blueberry Bank.
If the user decides to add more funds to this position, they simply call
openPositionFarm()
again. The function has logic to check if there is already existing collateral of this LP token in the Blueberry Bank. If there is, it removes the collateral and callswIchiFarm.burn()
(which harvests the Ichi rewards and withdraws the LP tokens) before repeating the deposit process.However, this deposit process has no logic for distributing the ICHI rewards. Therefore, these rewards will remain sitting in the
IchiVaultSpell.sol
contract and will not reach the user.For an example of how this is handled properly, we can look at the opposite function,
closePositionFarm()
. In this case, the samewIchiFarm.burn()
function is called. But in this case, it's followed up with an explicit call to withdraw the ICHI from the contract to the user.doRefund(ICHI);
This
doRefund()
function refunds the contract's full balance of ICHI to themsg.sender
, so the result is that the next user to callclosePositionFarm()
will steal the ICHI tokens from the original user who added to their farming position.Impact
Users who farm their Ichi LP tokens for ICHI rewards can permanently lose their rewards.
Code Snippet
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/spell/IchiVaultSpell.sol#L199-L249
https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/wrapper/WIchiFarm.sol#L116-L150
Here is a link to the
harvest()
function on the IchiFarmV2.sol contract, which is called bywIchiFarm.sol
and contains the logic for distributing ICHI rewards: https://github.com/ichifarm/ichi-farming/blob/206c44b790fbb2a1e3a655685eb3ab8d793c9f00/contracts/ichiFarmV2.sol#L238-L257Tool used
Manual Review
Recommendation
In the
openPositionFarm()
function, in the section that deals with withdrawing existing collateral, add a line that claims the ICHI rewards for the calling user.if (collSize > 0) { (uint256 decodedPid, ) = wIchiFarm.decodeId(collId); if (farmingPid != decodedPid) revert INCORRECT_PID(farmingPid); if (posCollToken != address(wIchiFarm)) revert INCORRECT_COLTOKEN(posCollToken); bank.takeCollateral(collSize); wIchiFarm.burn(collId, collSize); + doRefund(ICHI); }
The text was updated successfully, but these errors were encountered: