search

code-423n4 / 2024-01-salty-findings

11 stars 6 forks source link

The input parameter of StakingRewards.claimAllRewards() should be checked ,and parameter poolID also need to check #767

Closed c4-bot-2 closed 9 months ago

c4-bot-2 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/staking/StakingRewards.sol#L147

Vulnerability details

Impact:We should check parameters: The input parameter of StakingRewards.claimAllRewards(),and the parameter poolID in the function.

Proof of Concept

We should check input parameter of poolIDs , inner paramter of poolID to prevent error.

function claimAllRewards( bytes32[] calldata poolIDs ) external nonReentrant returns (uint256 claimableRewards) { mapping(bytes32=>UserShareInfo) storage userInfo = _userShareInfo[msg.sender]; claimableRewards = 0; for( uint256 i = 0; i < poolIDs.length; i++ ) { bytes32 poolID = poolIDs[i]; uint256 pendingRewards = userRewardForPool( msg.sender, poolID ); ..... } ..... }

Tools Used

vscode foundry

Recommended Mitigation Steps

Need add revert or require.

Assessed type

Error

c4-judge commented 9 months ago

Picodes marked the issue as unsatisfactory: Invalid