After a promotion is cancelled using cancelPromotion, not awarded rewards for remaining epochs are sent to an address given by promotion creator. Awarded rewards not claimed by users stay in the contract. Since the promotion is deleted from _promotions, users cannot call claimRewards to claim their rewards from the past. As a result, those tokens get stuck in the contract and users lose funds.
Mitigation step
In cancelPromotion, do not delete promotions directly, just reduce their _numberOfEpochs accordingly.
PierrickGT
commented
2 years ago
Handle
0x0x0x
Vulnerability details
After a promotion is cancelled using
cancelPromotion, not awarded rewards for remaining epochs are sent to an address given by promotion creator. Awarded rewards not claimed by users stay in the contract. Since the promotion is deleted from_promotions, users cannot callclaimRewardsto claim their rewards from the past. As a result, those tokens get stuck in the contract and users lose funds.Mitigation step
In
cancelPromotion, do not delete promotions directly, just reduce their_numberOfEpochsaccordingly.