in function claimRewards, there is no checking on value in _epochIds. Exploiter can claim more than the promotion award by calling the function with outrange epochs.
Proof of Concept
Consider a promotion with promitionid X and numberOfEpochs =Y.
Exploiter hold any number of ticket to be eligible to claim rewards.
Then exploiter call claimRewards(exploiter_address, X, Z) when block.timestamp > _promotion.startTimestamp + _epochDuration * (Z+1) and Y < Z <255
Given there is no checking in _epochId, I can draw the excess award by calling the above function 255 - Y times.
For extreme case, exploiter creates a promotion himself with numberOfEpochs =1 and epochDuration=1.
Exploiter joins this promotion and he call claimRewards(exploiter_address, promotionId, Z) every second after the promotion end. (i.e. Z range from 1 to 255)
He can draw 255 x tokensPerEpoch in token from the pool.
Recommended Mitigation Steps
Add the following to check the value of _epochId in L174 of TwabRewards.sol
require(
_epochId <_promotion.numberOfEpochs,
"TwabRewards/epochid-overflow"
);
PierrickGT
commented
2 years ago
Handle
0xabc
Vulnerability details
Impact
in function claimRewards, there is no checking on value in _epochIds. Exploiter can claim more than the promotion award by calling the function with outrange epochs.
Proof of Concept
Consider a promotion with promitionid X and numberOfEpochs =Y. Exploiter hold any number of ticket to be eligible to claim rewards. Then exploiter call claimRewards(exploiter_address, X, Z) when block.timestamp > _promotion.startTimestamp + _epochDuration * (Z+1) and Y < Z <255 Given there is no checking in _epochId, I can draw the excess award by calling the above function 255 - Y times.
For extreme case, exploiter creates a promotion himself with numberOfEpochs =1 and epochDuration=1. Exploiter joins this promotion and he call claimRewards(exploiter_address, promotionId, Z) every second after the promotion end. (i.e. Z range from 1 to 255) He can draw 255 x tokensPerEpoch in token from the pool.
Recommended Mitigation Steps
Add the following to check the value of _epochId in L174 of TwabRewards.sol require( _epochId <_promotion.numberOfEpochs, "TwabRewards/epochid-overflow" );