search

sherlock-audit / 2023-10-aloe-judging

9 stars 6 forks source link

OxZ00mer - Fees unclaimed by a soon-to-be courier will become stuck #118

Closed sherlock-admin closed 10 months ago

sherlock-admin commented 10 months ago

OxZ00mer

high

Fees unclaimed by a soon-to-be courier will become stuck

Summary

Unclaimed rewards of users, who become couriers will get permanently stuck

Vulnerability Detail

Users can become couriers by invoking enrollCourier() and earn a percentage of shares from referred users.

The problem stems from these users' fees not being explicitly claimed upon becoming couriers. If a user has unclaimed fees and becomes a courier, those fees will become permanently locked since couriers are not permitted to claim rewards.

function claimRewards(Lender[] calldata lenders, address beneficiary) external returns (uint256 earned) {
    require(!isCourier[msg.sender]);

    // ... 
}

Impact

Unclaimed fees of users who become couriers will get permanently stuck.

Code Snippet

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Factory.sol#L231

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Factory.sol#L254-L266

Tool used

Manual Review

Recommendation

Consider explicitly claiming their fees before making them a courier.

Duplicate of #134

sherlock-admin2 commented 10 months ago

2 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, because this is by-design and mentioned in docs that it's intended behavior

MohammedRizwan commented:

valid