Anyone can createPromotion with any arbitrary _ticket supposed it follows the proposed interface. Thus, it is possible to create a promotion with a malicious ticket that returns arbitrary values for getAverageBalanceBetween and getAverageTotalSuppliesBetween. When claiming the rewards, a malicious user can drain the contract by claiming more tokens than were transferred initially on createPromotion.
Recommended Mitigation Steps
Depending on the intentions, you can add auth checks on createPromotion, or add balance assertions that more tokens than entitled are not claimed from the promotion.
PierrickGT
commented
2 years ago
Handle
pauliax
Vulnerability details
Impact
Anyone can createPromotion with any arbitrary _ticket supposed it follows the proposed interface. Thus, it is possible to create a promotion with a malicious ticket that returns arbitrary values for getAverageBalanceBetween and getAverageTotalSuppliesBetween. When claiming the rewards, a malicious user can drain the contract by claiming more tokens than were transferred initially on createPromotion.
Recommended Mitigation Steps
Depending on the intentions, you can add auth checks on createPromotion, or add balance assertions that more tokens than entitled are not claimed from the promotion.