search

code-423n4 / 2024-01-salty-findings

11 stars 6 forks source link

user can claim same rewards multiple times and drain protocol of rewards and funds #817

Closed c4-bot-9 closed 9 months ago

c4-bot-9 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/staking/StakingRewards.sol#L147

Vulnerability details

Impact

loss of funds for protocol and can claim other user's rewards

Proof of Concept

the state variable _userShareInfo[msg.sender] is not update after the transfer of rewards


  function claimAllRewards( bytes32[] calldata poolIDs ) external nonReentrant returns (uint256 claimableRewards)
        {
        mapping(bytes32=>UserShareInfo) storage userInfo = _userShareInfo[msg.sender];

        claimableRewards = 0;
        for( uint256 i = 0; i < poolIDs.length; i++ )
            {
            bytes32 poolID = poolIDs[i];

            uint256 pendingRewards = userRewardForPool( msg.sender, poolID );

            // Increase the virtualRewards balance for the user to account for them receiving the rewards without withdrawing
            userInfo[poolID].virtualRewards += uint128(pendingRewards);

            claimableRewards += pendingRewards;
            }

        if ( claimableRewards > 0 )
            {
            // Send the actual rewards
            salt.safeTransfer( msg.sender, claimableRewards );

            emit RewardsClaimed(msg.sender, claimableRewards);
            }
        }

Tools Used

manual

Recommended Mitigation Steps

update user state variables for rewards that are claimed to zero

Assessed type

Error