search

sherlock-audit / 2023-04-footium-judging

13 stars 7 forks source link

Phantasmagoria - User can lost his rewards #360

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Phantasmagoria

high

User can lost his rewards

Summary

Vulnerability Detail

FootiumPrizeDistributor.sol contract has two functions to claim rewards claimETHPrize and claimERC20Prize. In both functions we have the following statement:

uint256 value = _amount - totalERC20Claimed[_token][_to];

Consider the situation:

For example user earned 4 ETH as rewards. He calls claimETHPrize with 4 ETH amount and successfully claims rewards. totalETHClaimed[_to] value increased by 4 ETH totalETHClaimed[_to] += value; The second time user earned only 3 ETH and when he calls claimETHPrize the following statement reverts due to underflow (value = 3 - 4;).

uint256 value = _amount - totalERC20Claimed[_token][_to];

Now user is unable to receive rewards Then, the owner can change the merkleRoot to a new one, and the user will lose their rewards

function setETHMerkleRoot(bytes32 _merkleRoot) external onlyOwner {
        ethMerkleRoot = _merkleRoot;

        emit SetETHMerkleRoot(ethMerkleRoot);
    }

This issue is persists with ERC20 tokens as well

Impact

User can lost his rewards

Code Snippet

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L79-L83

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L91-L95

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L106

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L144

Tool used

Manual Review

Recommendation

When setting new merkleRoot reset totalETHClaimed mapping

Duplicate of #97