185.md

Scrawny Mustard Tadpole

Medium

(available - limit) Number Of Assets Locked Forever

Summary

(available - limit) number of tokens can be locked forever in the incentive since claims and clawbacks can only be done till the limit.

Vulnerability Detail

1.) When a budget is deployed assets can be allocated to that budget ->

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/budgets/ManagedBudget.sol#L57

Say users or owner allocated 100 ERC1155 tokens to this budget.

2.) Then assets are disbursed to the incentive when the boost is being created ->

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L285

and the incentive is initialized ->

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L289

It is possible and intended that the available in the incentive is larger than the limit set on the incentive , ->

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/incentives/ERC1155Incentive.sol#L50

3.) In the above scenario , (available - limit) number of tokens will be locked forever , this is because the tokens can be claimed till the limit defined and even in the clawback() function the assets that can be clawed back are up to the limit ->

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/incentives/ERC1155Incentive.sol#L109

The same is true for more incentives such as ERC20Incentive.

Impact

Some tokens would be locked forever in the Incentive contract.

Code Snippet

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/incentives/ERC1155Incentive.sol#L109

Tool used

Manual Review

Recommendation

Have a mechanism to transfer the extra assets.