search

code-423n4 / 2023-05-ajna-findings

2 stars 0 forks source link

Rewards may be claimed multiple times using the `moveStakedLiquidity()` function. #316

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/RewardsManager.sol#L135

Vulnerability details

Severity

Medium

Rewards may be claimed multiple times using the moveStakedLiquidity() function.

Summary

The RewardsManager.moveStakedLiquidity() function does not check if rewards has already been claimed.

Vulnerability Details

The moveStakedLiquidity function after running some checks and initializing some variables, calls the _claimRewards function but does not check if rewards has already been claimed.

Link To Code

    function moveStakedLiquidity(
        uint256 tokenId_,
        uint256[] memory fromBuckets_,
        uint256[] memory toBuckets_,
        uint256 expiry_
    ) external nonReentrant override {
        StakeInfo storage stakeInfo = stakes[tokenId_];

        if (msg.sender != stakeInfo.owner) revert NotOwnerOfDeposit();

        // check move array sizes match to be able to match on index
        uint256 fromBucketLength = fromBuckets_.length;
        if (fromBucketLength != toBuckets_.length) revert MoveStakedLiquidityInvalid();

An Attacker may use this to their advantage by calling the moveStakedLiquidity() function multiple times thereby collecting rewards each time.

Impact

Rewards may be claimed multiple times by a lender through moving liquidity.

Tools Used

Manual Review

Recommended Mitigation Step

The check done in the claimRewards function to stop this kind of vulnerability, should be implemented in the moveStakedLiquidity function.

      if (isEpochClaimed[tokenId_][epochToClaim_]) revert AlreadyClaimed();

Assessed type

Invalid Validation

c4-judge commented 1 year ago

Picodes marked the issue as primary issue

c4-sponsor commented 1 year ago

MikeHathaway marked the issue as sponsor confirmed

c4-judge commented 1 year ago

Picodes marked issue #132 as primary and marked this issue as a duplicate of 132

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory

c4-judge commented 1 year ago

Picodes changed the severity to 3 (High Risk)