_transferAjnaRewards doesn't save the remaining rewards of a staker for the next transfer

[code423n4]

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L597 https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L815

Vulnerability details

Impact

Staker will earn less than expected

Proof of Concept

On _claimRewards function at https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L597 transferAjnaRewards is being called to claim rewardsEarned for staker according to the tokenId, the issue here drop at https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L815

 if (rewardsEarned_ > ajnaBalance) rewardsEarned_ = ajnaBalance;

when _transferAjnaRewards function is transferring the rewardsEarned_ value if the rewardsEarned greater than contract's ERC20 balance then it will update rewardsEarned to equal the balance ignoring the remaining rewards anyway. which is unfairness and mess with the staker rewards with no reason for missing his rewards value. this would give unclear results for stakers when they claim their rewards after staking for a period of time.

Tools Used

Manual Review

Recommended Mitigation Steps

Track the rewardsEarned by hash map and keep what left in the rewardsEarned to transfer later when the contract has balance again.

Assessed type

Token-Transfer

[c4-judge]

Picodes marked the issue as duplicate of #361

[c4-judge]

Picodes changed the severity to 3 (High Risk)

[c4-judge]

Picodes marked the issue as satisfactory