code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-venus/blob/8be784ed9752b80e6f1b8b781e2e6251748d0d7e/contracts/Rewards/RewardsDistributor.sol#L418-L421

Vulnerability details

Users can claim their rewards in RewardDistributor.claimRewardToken(). The reward handling part is done in _grantRewardToken():

416: function _grantRewardToken(address user, uint256 amount) internal returns (uint256) {
417:         uint256 rewardTokenRemaining = rewardToken.balanceOf(address(this));
418:         if (amount > 0 && amount <= rewardTokenRemaining) {
419:             rewardToken.safeTransfer(user, amount);
420:             return 0;
421:         }
422:         return amount;
423:     }

The function transfers the rewards to the caller. If there is not enough token balance, the function simply returns.

While this is a logic by design, this is unfair to users.

Users with a high rewardTokenAccrued will not be able to get any reward if the balance is not sufficient. But in the mean time, other users with a lower reward claim will be able to claim.

Impact

In a situation where the total rewardTokenAccrued is high enough (ie that the protocol owner need to periodically transfer tokens to allow users to claim their rewards), users with a high rewards can be grieved and not be able to claim any reward for a while

Tools Used

Manual Analysis

Recommended Mitigation Steps

Allow users to specify how much they want to claim, so that users with a lot of rewards are not penalized.

Assessed type

Other

0xean commented 1 year ago

This comes down to a centralization concern and has been called out of scope by the sponsor

c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Out of scope

code-423n4 / 2023-05-venus-findings