cu5t0mPe0 - Users will lose their reward tokens

[sherlock-admin2]

cu5t0mPe0

high

Users will lose their reward tokens

Summary

When a user uses the Stake Module, the LPStakingTime contract will actually send the reward token back when staking or unstaking, and the user does not need to call withdraw again to claim the reward token. However, since the Stake Module uses the latest data to receive reward tokens, users will lose part of their reward tokens.

Vulnerability Detail

Users can call AbstractStakingAM::mint to create a position NFT. When the user needs to add liquidity to the current position, he can call AbstractStakingAM::increaseLiquidity. mint and increaseLiquidity are actually pledged through StakedStargateAM::_stake, and _stake calls LPStakingTime: :deposit to pledge.

LPStakingTime.sol::deposit

    function deposit(uint256 _pid, uint256 _amount) external { 
        PoolInfo storage pool = poolInfo[_pid];
        UserInfo storage user = userInfo[_pid][msg.sender];
        updatePool(_pid);
        if (user.amount > 0) {
            uint256 pending = user.amount.mul(pool.accEmissionPerShare).div(1e12).sub(user.rewardDebt);
            safeTokenTransfer(msg.sender, pending);
        }
        pool.lpToken.safeTransferFrom(address(msg.sender), address(this), _amount);

        user.amount = user.amount.add(_amount);
        user.rewardDebt = user.amount.mul(pool.accEmissionPerShare).div(1e12);
        lpBalances[_pid] = lpBalances[_pid].add(_amount);
        emit Deposit(msg.sender, _pid, _amount);
    }

During the staking process, LPStakingTime::deposit will check whether the user already has the pledged amount, and if so, the reward token will be sent to the Stake Module, and then rewardDebt will be updated to prepare for the next reward token.

For users of the Stake Module module, reward tokens are collected through AbstractStakingAM::claimReward, and AbstractStakingAM::claimReward calculates reward tokens through AbstractStakingAM::_getRewardBalances. During the process of calculating the reward token, StakedStargateAM::_getCurrentReward->LPStakingTime::pendingEmissionToken will be called to obtain the reward token of the Stake Module.

And if a user adds liquidity or creates a new position before another user collects the reward, then the reward token value returned by LPStakingTime::pendingEmissionToken is generated from the time of the previous user's pledge to the current time. , this will cause a loss of reward tokens for users who have pledged a long time ago, because the calculation of _getRewardBalances is based on the token of this reward - the token of the previous reward, rather than the total reward token - the previous total reward. token, this calculation process omits the reward tokens of stake and unstake, resulting in this result.

Impact

Users will lose their reward tokens

Code Snippet

https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/asset-modules/abstracts/AbstractStakingAM.sol#L285-L320

https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/asset-modules/abstracts/AbstractStakingAM.sol#L327-L354

https://github.com/sherlock-audit/2023-12-arcadia/blob/main/accounts-v2/src/asset-modules/abstracts/AbstractStakingAM.sol#L371-L424

Tool used

Manual Review

Recommendation

Optimize the calculation method of reward token for LPStakingTime, and record the value of reward token in any similar operations such as adding liquidity or reducing liquidity.

Duplicate of #38

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid