In Drips.sol, the second for loop of _squeezedAmt() is going to break (on line 492 in the code block below) and exit the loop if receiver.userId != userId. As a result, the rest of the iterations that might fulfill receiver.userId == userId are not going to have amt separately added, i.e. the returned output, squeezedAmt is going to be lesser in value than expected. The impact could be very significant if this were to happen at the beginning part of the loop iterations.
Lines of code
https://github.com/code-423n4/2023-01-drips/blob/main/src/Drips.sol#L492 https://github.com/code-423n4/2023-01-drips/blob/main/src/Drips.sol#L429 https://github.com/code-423n4/2023-01-drips/blob/main/src/DripsHub.sol#L297-L306
Vulnerability details
Impact
In Drips.sol, the second for loop of
_squeezedAmt()
is going to break (on line 492 in the code block below) and exit the loop ifreceiver.userId != userId
. As a result, the rest of the iterations that might fulfillreceiver.userId == userId
are not going to haveamt
separately added, i.e. the returned output,squeezedAmt
is going to be lesser in value than expected. The impact could be very significant if this were to happen at the beginning part of the loop iterations.File: Drips.sol#L470-L498
Proof of Concept
This further affects the returned output,
amt
, of_squeezeDripsResult()
since it is being privately linked to_squeezedAmt()
on line 429.File: Drips.sol#L392-L434
Additionally,
squeezeDripsResult()
is going to possibly return inaccurate result too.File: DripsHub.sol#L297-L306
Tools Used
Manual inspection
Recommended Mitigation Steps
Consider replacing
break
withcontinue
so that the for loop will encompass all valid iterations to accurately updateamt
.