search

sherlock-audit / 2023-01-derby-judging

4 stars 1 forks source link

Avci - Users will not able to get another redeemreward if they didnt withdraw #415

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Avci

medium

Users will not able to get another redeemreward if they didnt withdraw

Summary

Users will not able to get another redeemRewardsGame if they didn't withdraw

Vulnerability Detail

withdraw function deletes the user.rewardAllowance value and makes it 0 every time if you have it the problem is if someone didn't want to withdraw will not able to redeemRewardsGame because of this require 

    require(user.rewardAllowance == 0, allowanceError);

withdraw function 

    delete user.rewardAllowance;

Impact

f someone didn't want to withdraw will not able to redeemRewardsGame because of this require

Code Snippet


function redeemRewardsGame(
    uint256 _value,
    address _user
  ) external onlyGame nonReentrant onlyWhenVaultIsOn {
    UserInfo storage user = userInfo[_user];
    require(user.rewardAllowance == 0, allowanceError);

    user.rewardAllowance = _value;
    user.rewardRequestPeriod = rebalancingPeriod;
    totalWithdrawalRequests += _value;
  }

  /// @notice Withdraw the reward allowance set by the game with redeemRewardsGame
  /// @dev Will swap vaultCurrency to Derby tokens, send the user funds and reset the allowance
  function withdrawRewards() external nonReentrant onlyWhenIdle returns (uint256 value) {
    UserInfo storage user = userInfo[msg.sender];
    require(user.rewardAllowance > 0, allowanceError);
    require(rebalancingPeriod > user.rewardRequestPeriod, "!Funds");

    value = user.rewardAllowance;
    value = checkForBalance(value);

    reservedFunds -= value;
    delete user.rewardAllowance;
    delete user.rewardRequestPeriod;

    if (swapRewards) {
      uint256 tokensReceived = Swap.swapTokensMulti(
        Swap.SwapInOut(value, address(vaultCurrency), derbyToken),
        controller.getUniswapParams(),
        true
      );
      IERC20(derbyToken).safeTransfer(msg.sender, tokensReceived);
    } else {
      vaultCurrency.safeTransfer(msg.sender, value);
    }
  }

https://github.com/sherlock-audit/2023-01-derby/blob/main/derby-yield-optimiser/contracts/MainVault.sol#L199

Tool used

Manual Review

Recommendation

consider adding fixing this logic to the way user could redeemRewardsGame without withdrawing every time