code-423n4 / 2022-01-openleverage-findings

0 stars 0 forks source link

User reward can get stuck #215

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

csanuragjain

Vulnerability details

Impact

If contract does not have enough reward token, full user reward are stuck. Their is no provision for partial reward payment

Proof of Concept

Navigate to https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/farming/FarmingPools.sol
Observe the getReward function

function getReward(address stakeToken) public updateReward(stakeToken, msg.sender) checkStart(stakeToken) {
        uint256 reward = rewards[stakeToken][msg.sender].rewards;
        if (reward > 0) {
            rewards[stakeToken][msg.sender].rewards = 0;
            oleToken.safeTransfer(msg.sender, reward);
            emit RewardPaid(stakeToken, msg.sender, reward);
        }
    }

As we can see if user reward are 500 and contract has only 499 rewards left then no reward will be transferred to the user. User is blocked until contract adds more rewards. Instead contract could have atleast transferred 499 rewards and kept 1 as leftover reward in rewards[stakeToken][msg.sender].rewards

Recommended Mitigation Steps

if reward balance is less contract must transfer whatever amount is left in contract and rest can be recorded in user leftover rewards

ColaM12 commented 2 years ago

This issue only happens if wrong amount sets to Farming Pool. Recommend severity 1 (Low Risk).

0xleastwood commented 2 years ago

Agree with sponsor, this requires that notifyRewardAmount is called incorrectly.