strictly-scarce
commented
3 years ago This is valid.
The member should only claim against synths they have deposited, where the time would be initialised.
Open code423n4 opened 3 years ago
strictly-scarce
commented
3 years ago This is valid.
The member should only claim against synths they have deposited, where the time would be initialised.
strictly-scarce
commented
3 years ago Would place this as severity: 2, since the anyone can participate in claiming rewards, but no extra inflation occurs.
Handle
@cmichelio
Vulnerability details
Vulnerability Details
The
harvestcallscalcCurrentRewardwhich computes_secondsSinceClaim = block.timestamp - mapMemberSynth_lastTime[member][synth];. As one can claim different synths than the synths that they deposited,mapMemberSynth_lastTime[member][synth]might still be uninitialized and the_secondsSinceClaimbecomes the current block timestamp.Impact
The larger the
_secondsSinceClaimthe larger the rewards. This bug allows claiming a huge chunk of the rewards.Recommended Mitigation Steps
Let users only harvest synths that they deposited.