Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L80 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L642
rewardsVestingWallet in BathToken is never initialized thus release will never happen:
/// @notice Address of the OZ Vesting Wallet which acts as means to vest bonusToken incentives to pool HODLers IBathBuddy public rewardsVestingWallet;
When calling distributeBonusTokenRewards this will be skipped:
if (rewardsVestingWallet != IBathBuddy(0)) { rewardsVestingWallet.release( (token), receiver, sharesWithdrawn, initialTotalSupply, feeBPS ); }
Consider either initializing rewardsVestingWallet or restructuring this functionality.
Duplicate of #168
bghughes
commented
2 years ago bghughes
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L80 https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/rubiconPools/BathToken.sol#L642
Vulnerability details
Impact
rewardsVestingWallet in BathToken is never initialized thus release will never happen:
When calling distributeBonusTokenRewards this will be skipped:
Recommended Mitigation Steps
Consider either initializing rewardsVestingWallet or restructuring this functionality.