Critical: user can claim reward multiple times

SoyFinance / smart-contracts

11 stars 9 forks source link

Critical: user can claim reward multiple times #10

Closed Dexaran closed 3 years ago

Dexaran commented 3 years ago

The original stake() function implementation does not take user's timestamp into account: https://github.com/SoyFinance/smart-contracts/blob/0861db14efe92efba8e5dd9892d01714a0da9c2e/Farming/SOYStakingRewards.sol#L237-L243

As the result a user can (1) claim reward multiple times without any restrictions and (2) claim reward, withdraw, use another account then claim reward again.

Dexaran commented 3 years ago

For Test contracts rewardDuration is set to 3 minutes.

Here is the first transaction (September-23-2021 07:32:08 PM +4 UTC): https://explorer.callisto.network/tx/0xc34c5e3f7c6aadff60dafeb4bc1568bcbe555a03fe96f0810ce3fefc2626af29/token-transfers

Here is the second transaction (September-23-2021 07:33:09 PM +4 UTC): https://explorer.callisto.network/tx/0x5c4766d2231acc07c8c6352ef403e67f04d954c389ebd6b0551f2c7de2d9f2ec/logs

Dexaran commented 3 years ago

Not relevant since https://github.com/SoyFinance/smart-contracts/commit/8ac3f514ce99dfed2449103171c28f8eaf98a675