The reclaimIncentive() function allows users who added incentives before to withdraw unclaimed rewards.
However, the current implementation did not manage the state correctly, incentive.rewardsUnclaimed is not updated after the token transfer, which allows the user to call reclaimIncentive() again and get incentive.token up to the amount of rewardsUnclaimed.
When the incentive.token is set to token0 or token1, this can be used for stealing yields from other users.
Handle
WatchPug
Vulnerability details
The
reclaimIncentive()
function allows users who added incentives before to withdraw unclaimed rewards.However, the current implementation did not manage the state correctly,
incentive.rewardsUnclaimed
is not updated after the token transfer, which allows the user to callreclaimIncentive()
again and getincentive.token
up to the amount ofrewardsUnclaimed
.When the
incentive.token
is set totoken0
ortoken1
, this can be used for stealing yields from other users.https://github.com/sushiswap/trident/blob/c405f3402a1ed336244053f8186742d2da5975e9/contracts/pool/concentrated/ConcentratedLiquidityPoolManager.sol#L59-L60
Recommended Mitigation Steps
Consider removing the
amount
parameter and always withdraw all the unclaimed rewards to the owner, and delete the incentive.