search

code-423n4 / 2022-04-xtribe-findings

2 stars 0 forks source link

`FlywheelCore/claimRewards()` let users claim rewards on behalf of others #55

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/fei-protocol/flywheel-v2/blob/77bfadf388db25cf5917d39cd9c0ad920f404aad/src/FlywheelCore.sol#L119

Vulnerability details

Impact

claimRewards() in FlywheelCore() let users claim rewards on behalf of others. It seems to be fine because the rewards are sent to the correct users. But this is an unintended action for receivers. If the receiver is a contract that is sensitive to the amount of reward tokens. Attackers can manipulate the balance of the reward token in the receiver contract.

Proof of Concept

    function claimRewards(address user) external {
        uint256 accrued = rewardsAccrued[user];

        if (accrued != 0) {
            rewardsAccrued[user] = 0;

            rewardToken.safeTransferFrom(address(flywheelRewards), user, accrued);

            emit ClaimRewards(user, accrued);
        }
    }

Tools Used

vim

Recommended Mitigation Steps

claimRewards should only claim for msg.sender

Joeysantoro commented 2 years ago

this is the same pattern compound and aave use, receivers should be prepared to handle tokens

0xean commented 2 years ago

Closing as invalid.

Attackers can manipulate the balance of the reward token in the receiver contract. - An attacker could also just send token s to that contract, and therefore isn't a vulnerability of this system.