search

sherlock-audit / 2023-04-footium-judging

13 stars 7 forks source link

0xnirlin - Prize can only be claimed once, all later prizes cannot be claimed #353

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0xnirlin

high

Prize can only be claimed once, all later prizes cannot be claimed

Summary

While claiming prize(ERC20 and ETH) from prizeDistribution contract, if prizes are claimed once, a user cannot claim again from same address.

Vulnerability Detail

FootiumPrizeDistribution contract keeps record of claimed prizes by using two mappings i.e totalERC20Claimed and totalETHClaimed. But the problem is once the prize have been claimed and next phase of distribution start where the new merkle tree is set in the contract, previous mapping is not delete so following sceneios will happen:

  1. Alice can claim 1 eth prize.
  2. Alice claims his prize by providing the proof, to and and _amount.
  3. Mapping is update lets say alice claims eth so now totalEthClaimed[alice] = 1ETH.
  4. Now a new phase of prize distribution starts and there is new merkle tree and this time again alice is eligible to claim 1ETH. But alice will not be able to claim any prize because of following line: 
        uint256 value = _amount - totalETHClaimed[_to];

    so in alice case value = 1ETH - 1ETH, so alice is now entitiled to 0 ETH although in second phase alice claimed nothing and now these funds go unclaimed.

Or in other case if in second phase prize is 2ETH , alice will get the partial reward.

Impact

User cannot claim its entitled prize.

Code Snippet

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L106-L134 https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L144-L175

Tool used

Manual Review

Recommendation

While updating the merkle, delete the previous values form mapping and default them to 0.

Duplicate of #18