Logic error in calculating bribe allocations
Days in Operation:
yearn security team has discovered a vulnerability in a third-party BribeV2 contract and made disclosures to the relevant parties and have released a new fixed contract for everyone to use.
During a routine check, irregularities were discovered in the amount of SPELL bribes being claimed by some users of the BribeV2 contract. Following analysis, it was determined to be an attacker exploiting a flaw in the way the contract calculates bribe allocations since Sep 2021.
The flaw causes bribes to be allocated based on each user's locked amount of CRV rather than allocating based on their veCRV balance.
BribeV2 incorrectly uses a user's slope (which is determined by the amount of CRV they lock). This is a critical flaw because it allows someone with a short lock to get paid out at an equal rate to someone with a long lock on the same amount.
The combination of the two means there is an exploit where a user can:
1. Lock 1m CRV for the minimum amount of time (7 days)
2. Vote for a gauge with a veCRV balance of 4,808 (1m CRV / 208 weeks) but claim rewards based on a gauge vote of 1m veCRV.
3. Withdraw 1m CRV as soon as possible
4. Continue to claim rewards every week forever
Because the CRV can be withdrawn after a week, an exploiter can cycle the same CRV through multiple wallets getting perpetual rewards forever on each.
Loss amount was not provided.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.