search

sherlock-audit / 2023-04-footium-judging

13 stars 7 forks source link

SanketKogekar - The user prize balance and `_amount` is not checked in `claimETHPrize()` & `claimERC20Prize()` of contract `FootiumPrizeDistributor` #377

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

SanketKogekar

medium

The user prize balance and _amount is not checked in claimETHPrize() & claimERC20Prize() of contract FootiumPrizeDistributor

Summary

Looks like anyone can claim any amount of rewards (prize) though claimERC20Prize() and claimERC20Prize(). Missing checks and input validation.

Vulnerability Detail

function claimERC20Prize(
        address _to,
        IERC20Upgradeable _token,
        uint256 _amount,
        bytes32[] calldata _proof
    ) external whenNotPaused nonReentrant {
        if (_to != msg.sender) {
            revert InvalidAccount();
        }

        if (
            !MerkleProofUpgradeable.verify(
                _proof,
                erc20MerkleRoot,
                keccak256(abi.encodePacked(_token, _to, _amount))
            )
        ) {
            revert InvalidERC20MerkleProof();
        }

        uint256 value = _amount - totalERC20Claimed[_token][_to];

        if (value > 0) {
            totalERC20Claimed[_token][_to] += value;
            _token.transfer(_to, value);
        }

        emit ClaimERC20(_token, _to, value);
    }

Impact

Code Snippet

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L126-L127

Tool used

Manual Review

Recommendation

Add balance check and make sure _amount is greater than 0

require(_amount > 0, "Need amount to be greater than zero")