There are no checks to make sure _epochId < _numberOfEpochs in claimRewards. This allow one to create a promotion with 0 epoch without cost, and drain any promotion rewards
Proof of Concept
Attacker can create a promotion with the following configuration:
Handle
gzeon
Vulnerability details
Impact
There are no checks to make sure
_epochId < _numberOfEpochs
inclaimRewards
. This allow one to create a promotion with 0 epoch without cost, and drain any promotion rewardsProof of Concept
Attacker can create a promotion with the following configuration:
Creation of such promotion require 0 targetToken since
Yet the attacker can immediately call
claimRewards
to drain the contract. An un-optimized POC as follow:To optimize the attack, attacker can deploy a _ticket that he own 100% of the supply and set _tokensPerEpoch to targetToken.balanceOf(TwabRewards)
Tools Used
Hardhat with test case in https://github.com/pooltogether/v4-periphery/blob/b520faea26bcf60371012f6cb246aa149abd3c7d/test/TwabRewards.test.ts
Recommended Mitigation Steps
require(_epochId < _numberOfEpochs,'!reward')
inclaimRewards