Delayed reSDL supply update impacting secondary chain rewards
Summary
The SDLPoolCCIPControllerSecondary contract faces a synchronization issue in updating the reSDL supply between the secondary and primary chains, leading to potential discrepancies in reward distributions.
Vulnerability Details
The flaw is identified in the _ccipReceive function. The secondary chain fails to update its reSDL supply in sync with the primary chain, unless there's a distribution of SDL tokens as rewards. This behavior results in the secondary chain being frequently out of sync, especially when the reward distribution doesn't impact the reSDL supply.
Impact
This desynchronization can lead to the secondary chain often being out of sync with the primary chain, resulting in inaccurate reward distributions. Over time, this issue can cause significant discrepancies in reward allocation.
Tools Used
Manual Review
Recommendations
The recommended fix is to adjust the update mechanism. Directly check ISDLPoolSecondary(sdlPool).shouldUpdate() in both the checkUpkeep and performUpkeep functions instead of using the storage variable shouldUpdate. This change ensures the secondary chain stays up-to-date with the primary chain's reSDL supply, independent of the reward distribution events.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.