Open hats-bug-reporter[bot] opened 4 months ago
Here's an example fix.
+ mapping(IERC20Rebasing => mapping(address => bool)) public override claimed;
function claim(address erc20Rebasing_, address recipient_, uint256 amount_) external virtual returns (uint256) {
_checkAccessForManageBlastERC20Rebasing();
+ require(!claimed[erc20Rebasing_][recipient_], "already claimed");
+ claimed[erc20Rebasing_][recipient_] = true;
return IERC20Rebasing(erc20Rebasing_).claim(recipient_, amount_);
}
Thank you for the submission.
This functionality was developed with the expectation that it would be called only by a specific authorised address. It is not expected that it will be called from the name of a simple user to withdraw their share of rebase tokens
Github username: -- Twitter username: -- Submission hash (on-chain): 0x71185daa4cbc7c30c1ae74b955681c6bab862a36c455aea97c020feb01b90fe0 Severity: high
Description: Description\ The claim function is used to claim rebasing tokens on behalf of the caller and it transfers them to the specified recipient.
The function doesn't check to ensure that the recipient hasn't already claimed his rebasing tokens before claiming funds to their address. This allows a malicious recipient who has already received his rebasing tokens to request for more tokens even though he has already gotten his rebased tokens. This will lead to a theft of the ERC20 rebasing tokens.
https://github.com/Satsyxbt/Fenix-dex-v3/blob/652bfd4d1035c3d63af14522baa611e3d22d963f/src/core/contracts/base/BlastERC20RebasingManage.sol#L42
Recommendation
Let the function revert if the recipient has already received his rebasing tokens.