The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Incompatibility with Rebasing Tokens

0xCiphky

Vulnerability Details:

The LiquidationPoolManager contract does not support tokens that undergo rebasing, such as AMPL. Rebasing tokens have dynamic balances, meaning the token balance of an address can fluctuate over time due to mechanisms like supply adjustments.

The claimRewards function in the contract records rewards from liquidations as a static amount. Therefore, this fixed value doesn't account for potential changes due to rebasing:

function claimRewards() external {

ITokenManager.Token[] memory _tokens = ITokenManager(tokenManager).getAcceptedTokens();

for (uint256 i = 0; i < _tokens.length; i++) {

ITokenManager.Token memory _token = _tokens[i];

uint256 _rewardAmount = rewards[abi.encodePacked(msg.sender, _token.symbol)];

if (_rewardAmount > 0) {

delete rewards[abi.encodePacked(msg.sender, _token.symbol)];

if (_token.addr == address(0)) {

(bool _sent,) = payable(msg.sender).call{value: _rewardAmount}("");

require(_sent);

} else {

IERC20(_token.addr).transfer(msg.sender, _rewardAmount);

}

As a result, when users claim their rewards, the amount of assets received is based on these static values and does not reflect any changes caused by the rebasing of the underlying asset. This discrepancy leads to users receiving incorrect amounts of the asset post-rebase.

Impact:

The use of rebasing tokens within the LiquidationPoolManager contract results in incorrect reward distributions. Depending on whether the asset's supply increases or decreases due to rebasing, stakers may receive more or less of the asset than they are entitled to.

Tools Used:

Manual analysis

Recommendation:

The protocol should explicitly ensure that tokens eligible for addition to the collateral tokens are not rebasing tokens, as the current system is not equipped to handle them.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Assigned finding tags:

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.