search

code-423n4 / 2021-08-yield-findings

1 stars 0 forks source link

Missing input validation to check that end > start #49

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

0xRajeev

Vulnerability details

Impact

setRewards() is missing input validation on parameters start and end to check if end > start. If accidentally set incorrectly, this will allow resetting new rewards while there is an ongoing one.

Proof of Concept

https://github.com/code-423n4/2021-08-yield/blob/4dc46470e616dd0cbd9db9b4742e36c4d809e02c/contracts/utils/token/ERC20Rewards.sol#L74-L88

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add a require() to check that end > start.

alcueca commented 3 years ago

If accidentally set incorrectly, this will allow resetting new rewards while there is an ongoing one.

I would say that if we set it incorrectly, we would like to reset it as soon as possible :)

Still, a good check to add, since otherwise it leads to strange behaviour.

alcueca commented 3 years ago

Fix