search

code-423n4 / 2022-11-stakehouse-findings

1 stars 1 forks source link

_distributeETHRewardsToUserForToken() Wrong set claimed[_user][_token] #290

Closed code423n4 closed 1 year ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-11-stakehouse/blob/4b6828e9c807f2f7c569e6d721ca1289f7cf7112/contracts/liquid-staking/SyndicateRewardsProcessor.sol#L63

Vulnerability details

Impact

SyndicateRewardsProcessor#claimed[_user][_token] holds the values that have been claimed, _distributeETHRewardsToUserForToken() is incorrectly set to "due", next time _distributeETHRewardsToUserForToken() will become large

Proof of Concept

Incorrectly set to difference

    function _distributeETHRewardsToUserForToken(
        address _user,
        address _token,
        uint256 _balance,
        address _recipient
    ) internal {
        require(_recipient != address(0), "Zero address");
        uint256 balance = _balance;
        if (balance > 0) {

            uint256 due = ((accumulatedETHPerLPShare * balance) / PRECISION) - claimed[_user][_token];
            if (due > 0) {               
                claimed[_user][_token] = due;  //***@audit Incorrectly set to difference****/

                totalClaimed += due;

            }
        }
    }

Tools Used

Recommended Mitigation Steps

abstract contract SyndicateRewardsProcessor {
...
    function _distributeETHRewardsToUserForToken(
        address _user,
        address _token,
        uint256 _balance,
        address _recipient
    ) internal {
        require(_recipient != address(0), "Zero address");
        uint256 balance = _balance;
        if (balance > 0) {
            // Calculate how much ETH rewards the address is owed / due 
            uint256 due = ((accumulatedETHPerLPShare * balance) / PRECISION) - claimed[_user][_token];
            if (due > 0) {               
-               claimed[_user][_token] = due;
+               claimed[_user][_token] += due;
                totalClaimed += due;

            }
        }
    }
c4-judge commented 1 year ago

dmvt marked the issue as duplicate of #59

c4-judge commented 1 year ago

dmvt marked the issue as nullified

dmvt commented 1 year ago

This does not meet the required burden of proof for a high risk issue.

C4-Staff commented 1 year ago

JeeberC4 marked the issue as duplicate of #147