Contract does not earn any boosted position rewards in Maverick Connector #1561
Comments
c4-bot-3
added
3 (High Risk)
c4-bot-13
added
🤖_1235_group
|
DadeKuma marked the issue as primary issue |
c4-pre-sort
added
the
primary issue
|
DadeKuma marked the issue as sufficient quality report |
c4-pre-sort
added
the
sufficient quality report
|
I think the severity is med/low since the assets are not at risk, the only impact is that we won't be able to use the boosted positions which we are planning to fix. |
HadiEsna
added
the
sponsor confirmed
|
gzeon-c4 changed the severity to QA (Quality Assurance) |
c4-judge
added
downgraded by judge
|
Low risk, asset not at risk and |
|
Hi @gzeon-c4, I believe this issue should of valid Medium-severity.
It is a defined behaviour since the MaverickConnector implements a function to claim boosted position rewards. But due to it's incorrect implementation it is not able to do so. If it wasn't the expected behaviour, I do not think the sponsor would have confirmed the issue. I think this should be a valid Medium-severity issue considering how other issues describing lack of reward/fees claiming functionality or loss of yield/incentives have been judged, which ends up with protocol not receiving their deserved rewards. At the end, the main reason connectors are used is to increase the TVL of the Noya protocol, which the Maverick Connector fails to do (i.e. expected functionality of the contract is impacted and unavailable). Please consider re-evaluating this issue. Thank you for your time! |
|
will reconsider with a potential re-classification of #1100 and its duplicates later |
|
@gzeoneth Just want to clarify, I do not think this is a dup of #1100 since here the functionality itself is affected i.e. boosted position rewards "cannot be collected" through function claimBoostedPositionRewards() in the first place due to the incorrect implementation while in #1100 it is just saying that the fees/yield which "are collected" are not realtime when reporting TVL. Similar issues like #976 and #712 have been judged as medium. |
c4-judge
added
2 (Med Risk)
|
This previously downgraded issue has been upgraded by gzeon-c4 |
c4-judge
added
the
satisfactory
|
gzeon-c4 marked the issue as satisfactory |
c4-judge
added
the
selected for report
|
gzeon-c4 marked the issue as selected for report |
Lines of code
https://github.com/code-423n4/2024-04-noya/blob/9c79b332eff82011dcfa1e8fd51bad805159d758/contracts/connectors/MaverickConnector.sol#L137
Vulnerability details
Summary
The contract has a function in MaverickConnector.sol to call claimBoostedPositionRewards() in order to earn rewards.
Issue:
There will be no boosted position rewards since LP tokens received from adding liquidity in maverick pools are never staked in the boosted position contract.
See here - https://vscode.blockscan.com/ethereum/0x4F24D73773fCcE560f4fD641125c23A2B93Fcb05 and https://docs.mav.xyz/guides/incentives/understanding-boosted-positions. I don't think we even add liquidity to the boosted pool but check.
We first mint LP tokens through our MAV AMM position through this mint() function https://vscode.blockscan.com/ethereum/0x4F24D73773fCcE560f4fD641125c23A2B93Fcb05 and then we stake() it usin this function https://vscode.blockscan.com/ethereum/0x4F24D73773fCcE560f4fD641125c23A2B93Fcb05.
Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Error
The text was updated successfully, but these errors were encountered: