Claiming outstanding utility tokens from vMaia
vault DoS on pbHermes<>bHermes
conversion rate > 1
#470
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-23
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/maia/tokens/ERC4626PartnerManager.sol#L215-L229
https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/maia/vMaia.sol#L66-L88
Vulnerability details
Impact
Once a user deposits
Maia
ERC-20 tokens into thevMaia
ERC-4626 vault, he is eligible to claim 3 kinds of utility tokens, bHermes Weight & Governance and Maia Governance (pbHermes, partner governance), via the ERC4626PartnerManager.claimOutstanding() method (ERC4626PartnerManager
is base ofvMaia
contract).The conversion rate between the utility tokens and vMaia tokens minted on deposit can be increased (and only increased) by the contract owner via the ERC4626PartnerManager.increaseConversionRate(...) method.
However, the checkWeight, checkGovernance & checkPartnerGovernance modifiers in the
vMaia
contract do not account for this conversion rate and therefore implicity only allow a conversion rate of 1.As a consequence, as soon as the conversion rate is increased to > 1, a call to ERC4626PartnerManager.claimOutstanding() will inevitably revert due to subsequent calls to the above modifiers. Since the conversion rate can only be increased and the
vMaia
vault contract is not upgradeable, theclaimOutstanding()
method is subject to permanent DoS.Of course, the user can still claim a reduced amount of utility tokens (according to a conversion rate of 1) via the PartnerUtilityManager.claimMultipleAmounts(...) method (
PartnerUtilityManager
is base ofERC4626PartnerManager
contract), but this still implies a loss of assets for the user since not all utility tokens he is eligible for can be claimed. Furthermore, this workaround doesn't help when the user is a contract which implemented a call to theclaimOutstanding()
method.Proof of Concept
The following PoC demonstrates the above DoS when trying to claim the utility tokens with increased conversion rate, just apply the diff below and run the test cases with
forge test -vv --match-test testDepositMaia
:Tools Used
VS Code, Foundry
Recommended Mitigation Steps
Simply remove the incorrect checkWeight, checkGovernance & checkPartnerGovernance modifiers from the
vMaia
contract, since the correct modifiers, which account for the conversion rate, are already implemented in theERC4626PartnerManager
contract.Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: