The function _claimis calculates rewards for users there is an issue occurs in the function. When checkpoint is executed, it updates the state, potentially setting the reward to zero or an incorrect value before the user can claim it.
// Call the checkpoint, if required
if (execCheckPoint) {
checkpoint();
}
// Get the claimed service data
reward = sInfo.reward;
// Check for the zero reward
if (reward == 0) {
revert ZeroValue();
}
// Zero the reward field
sInfo.reward = 0;
the bug is occur because checkpoint updates the reward-related state variables, which can cause the _claim function to fetch an outdated or zero reward value.
Impact
Users might get zero rewards or incorrect amounts, leading to financial loss and decreased trust in the system.
here is a scenario that show the bug
let's say we have :
sInfo.reward before checkpoint: 1000 tokens.
availableRewards before checkpoint: 5000 tokens.
execCheckPoint is set to true.
the _claim is called with serviceId = 1 and execCheckPoint = true.
checkpoint is executed, and due to changes in staking activity, the sInfo.reward is recalculated and set to zero.
_claim then tries to fetch sInfo.reward which is now zero.
The function reverts with ZeroValue, or worse, it sets sInfo.reward to zero and the reward is never claimed correctly.
Result:
The service owner expects to claim 1000 tokens but ends up with zero due to the state update by checkpoint.
Tools Used
manual review
Recommended Mitigation Steps
the reward should be fetched and validated before and after the checkpoint to ensure consistency
Lines of code
https://github.com/code-423n4/2024-05-olas/blob/3ce502ec8b475885b90668e617f3983cea3ae29f/registries/contracts/staking/StakingBase.sol#L488-L503
Vulnerability details
details of the bug
The function _claimis calculates rewards for users there is an issue occurs in the function. When checkpoint is executed, it updates the state, potentially setting the reward to zero or an incorrect value before the user can claim it.
the bug is occur because checkpoint updates the reward-related state variables, which can cause the _claim function to fetch an outdated or zero reward value.
Impact
Users might get zero rewards or incorrect amounts, leading to financial loss and decreased trust in the system.
Result: The service owner expects to claim 1000 tokens but ends up with zero due to the state update by checkpoint.
Tools Used
manual review
Recommended Mitigation Steps
the reward should be fetched and validated before and after the checkpoint to ensure consistency
Assessed type
Other