The _sendCollateralRewardsToDepositor function in the StabilityPool contract transfers collateral rewards to depositors. However, if a depositor has been blacklisted by a token with such functionality as USDC and one of the collateral rewards is USDC, the depositor won't be able to withdraw any rewards from the protocol. This is because the accrued rewards are stored in the _depositorCollateralGains array and are transferred in a for-loop.
Recommendation
To address this issue, add a destination to address parameter to the _sendCollateralRewardsToDepositor function. Then, modify the function to transfer the rewards to the specified to address instead of msg.sender.
function _sendCollateralRewardsToDepositor(
- TokenToUint256[] memory _depositorCollateralGains
+ TokenToUint256[] memory _depositorCollateralGains,
+ address to
) internal {
for (uint256 i = 0; i < _depositorCollateralGains.length; i++) {
if (_depositorCollateralGains[i].value == 0) {
continue;
}
IERC20 collateralToken = IERC20(
_depositorCollateralGains[i].tokenAddress
);
collateralToken.safeTransfer(
- msg.sender,
+ to,
_depositorCollateralGains[i].value
);
emit CollateralRewardRedeemed(
- msg.sender,
+ to,
_depositorCollateralGains[i].tokenAddress,
_depositorCollateralGains[i].value
);
}
}
Context
StabilityPool::_sendCollateralRewardsToDepositor()
Description
The
_sendCollateralRewardsToDepositor
function in theStabilityPool
contract transfers collateral rewards to depositors. However, if a depositor has been blacklisted by a token with such functionality asUSDC
and one of the collateral rewards isUSDC
, the depositor won't be able to withdraw any rewards from the protocol. This is because the accrued rewards are stored in the_depositorCollateralGains
array and are transferred in a for-loop.Recommendation
To address this issue, add a destination
to
address parameter to the_sendCollateralRewardsToDepositor
function. Then, modify the function to transfer the rewards to the specifiedto
address instead ofmsg.sender
.