INFLATION_PROTECTION_TIME can not be up to a year as intended because it is hardcoded to 1749120350

[howlbot-integration]

Lines of code

https://github.com/code-423n4/2024-07-loopfi/blob/4f508781a49ffa53511e7e5ed6cda0ff0eb5bdc5/src/vendor/AuraVault.sol#L66
https://github.com/code-423n4/2024-07-loopfi/blob/main/src/vendor/AuraVault.sol#L301-L307

Vulnerability details

Impact

AURA rewards will be distributed at a lesser time than a year.

Infact if the AuraVault.sol contract is deployed 295 days after the completion of this audit contest, No aura rewards will be distributed. This is because the INFLATION_PROTECTION_TIME is hardcoded to 1749120350

Proof of Concept

The Aura rewards is to be distributed within a year which is specified with the INFLATION_PROTECTION_TIME constant. However, the INFLATION_PROTECTION_TIME constant is hardcoded in the AuraVault.sol contract to 1749120350.

File: AuraVault.sol
66:  uint256 private constant INFLATION_PROTECTION_TIME = 1749120350;

And there is a validation check to distribute reward only before this 1749120350 timestamp. At the time of writting this report there is 310 days left and after the contest there will be less than 295 days left for Aura distribution based on the hardcoded 1749120350 INFLATION_PROTECTION_TIME constant.

If this AuraVault.sol is deployed 295days from the time of writting this report, no AURA rewards will be distributed.

The issue lies in the fact that INFLATION_PROTECTION_TIME constant is hardcoded to 1749120350 which is already decreasing the duration of rewards from a year to zero.

File: AuraVault.sol
/**
     * @notice Allows anyone to claim accumulated rewards by depositing WETH instead
     * @param amounts An array of reward amounts to be claimed ordered as [rewardToken, secondaryRewardToken]
     * @param maxAmountIn The max amount of WETH to be sent to the Vault
     */
    function claim(uint256[] memory amounts, uint256 maxAmountIn) external returns (uint256 amountIn) {
        // Claim rewards from Aura reward pool
        IPool(rewardPool).getReward();

        // Compute assets amount to be sent to the Vault
        VaultConfig memory _config = vaultConfig;
        amountIn = _previewReward(amounts[0], amounts[1], _config);

        // Transfer assets to Vault
        require(amountIn <= maxAmountIn, "!Slippage");
        IERC20(asset()).safeTransferFrom(msg.sender, address(this), amountIn);

        // Compound assets into "asset" balance
        IERC20(asset()).safeApprove(rewardPool, amountIn);
        IPool(rewardPool).deposit(amountIn, address(this));

        // Distribute BAL rewards
        IERC20(BAL).safeTransfer(_config.lockerRewards, (amounts[0] * _config.lockerIncentive) / INCENTIVE_BASIS);
        IERC20(BAL).safeTransfer(msg.sender, amounts[0]);

        // Distribute AURA rewards
@>        if (block.timestamp <= INFLATION_PROTECTION_TIME) {
            IERC20(AURA).safeTransfer(_config.lockerRewards, (amounts[1] * _config.lockerIncentive) / INCENTIVE_BASIS);
            IERC20(AURA).safeTransfer(msg.sender, amounts[1]);
        } else {
            // after INFLATION_PROTECTION_TIME
            IERC20(AURA).safeTransfer(_config.lockerRewards, IERC20(AURA).balanceOf(address(this)));
        }

        emit Claimed(msg.sender, amounts[0], amounts[1], amountIn);
    }

Tools Used

Manual review

Recommended Mitigation Steps

Consider setting the INFLATION_PROTECTION_TIME in the constructor instead of hardcoding it.

--  uint256 private constant INFLATION_PROTECTION_TIME = 1749120350;
++  uint256 private immutable INFLATION_PROTECTION_TIME;


    constructor(
     ...        
    ) ERC4626(IERC20(asset_)) ERC20(tokenName_, tokenSymbol_) {
     ...  
++    INFLATION_PROTECTION_TIME = block.timestamp + 365 days;
    }

Assessed type

Timing

[amarcu]

Acknowledged but we will remove and not use the AuraVault.

[c4-judge]

koolexcrypto marked the issue as satisfactory

[c4-judge]

koolexcrypto marked the issue as selected for report