The _sendCollateralRewardsToDepositor function in the StabilityPool contract transfers collateral rewards to depositors. However, if a depositor has been blacklisted by a token with such functionality as USDC and one of the collateral rewards is USDC, the depositor won't be able to withdraw any rewards from the protocol. This is because the accrued rewards are stored in the _depositorCollateralGains array and are transferred in a for-loop.
Recommendation
To address this issue, add a destination to address parameter to the _sendCollateralRewardsToDepositor function. Then, modify the function to transfer the rewards to the specified to address instead of msg.sender.
function _sendCollateralRewardsToDepositor(
- TokenToUint256[] memory _depositorCollateralGains
+ TokenToUint256[] memory _depositorCollateralGains,
+ address to
) internal {
for (uint256 i = 0; i < _depositorCollateralGains.length; i++) {
if (_depositorCollateralGains[i].value == 0) {
continue;
}
IERC20 collateralToken = IERC20(
_depositorCollateralGains[i].tokenAddress
);
collateralToken.safeTransfer(
- msg.sender,
+ to,
_depositorCollateralGains[i].value
);
emit CollateralRewardRedeemed(
- msg.sender,
+ to,
_depositorCollateralGains[i].tokenAddress,
_depositorCollateralGains[i].value
);
}
}
Context
StabilityPool::_sendCollateralRewardsToDepositor()
Description
The
_sendCollateralRewardsToDepositorfunction in theStabilityPoolcontract transfers collateral rewards to depositors. However, if a depositor has been blacklisted by a token with such functionality asUSDCand one of the collateral rewards isUSDC, the depositor won't be able to withdraw any rewards from the protocol. This is because the accrued rewards are stored in the_depositorCollateralGainsarray and are transferred in a for-loop.Recommendation
To address this issue, add a destination
toaddress parameter to the_sendCollateralRewardsToDepositorfunction. Then, modify the function to transfer the rewards to the specifiedtoaddress instead ofmsg.sender.