The assignment should be made only if ownerToRollOverQueueIndex[_receiver] == 0
Summary
enlistInRollover makes assignment at the end: ownerToRollOverQueueIndex[_receiver] = rolloverQueue.length; However, this is wrong when ownerToRollOverQueueIndex[_receiver] starts off as non-zero
Vulnerability Detail
enlistInRollover makes assignment at the end: ownerToRollOverQueueIndex[_receiver] = rolloverQueue.length; However, this is wrong when ownerToRollOverQueueIndex[_receiver] starts off as non-zero
Impact
This effectively transfer the ownership of rollover amount of the last rollover to other users, who can then change the receiver and claim the amount
datapunk
high
The assignment should be made only if ownerToRollOverQueueIndex[_receiver] == 0
Summary
enlistInRollover makes assignment at the end:
ownerToRollOverQueueIndex[_receiver] = rolloverQueue.length;
However, this is wrong when ownerToRollOverQueueIndex[_receiver] starts off as non-zeroVulnerability Detail
enlistInRollover makes assignment at the end:
ownerToRollOverQueueIndex[_receiver] = rolloverQueue.length;
However, this is wrong when ownerToRollOverQueueIndex[_receiver] starts off as non-zeroImpact
This effectively transfer the ownership of rollover amount of the last rollover to other users, who can then change the receiver and claim the amount
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L268
Tool used
Manual Review
Recommendation
Move
ownerToRollOverQueueIndex[_receiver] = rolloverQueue.length;
inside of the else blockDuplicate of #2