Closed sherlock-admin closed 1 year ago
2 comment(s) were left on this issue during the judging contest.
panprog commented:
low, because this is the developers choice and the issue of courier being unable to claim rewards is documented and known beforehand, so if user is enrolled as courier he is assumed to know the possible problem
MohammedRizwan commented:
low severity as its a user mistake and user must understand before calling any function
Low severity; panprog's comment is correct
dipp
medium
Users may lose rewards accrued before enrolling as courier
Summary
Users who had rewards before enrolling as a courier will lose those rewards because they are not claimed before setting the user as a courier.
Vulnerability Detail
After enrolling as a courier, a user will no longer be able to call the
claimRewards
function inFactory.sol
due to the function reverting if the sender is a courier.The docs on line 247 states that the user will not be eligible for rewards after enrolling. Users may expect that the rewards accrued up to the point of enrollment are still claimable and unknowingly lock themselves out of claiming their past rewards.
Impact
A user may lose rewards accumulated up to the point of becoming a courier if they do not claim beforehand. Since the
claimRewards
function onLender.sol
may only be called by the factory, the user will have no way to claim their previous rewards.Code Snippet
Factory.sol#L254-L266
Factory.sol#L228-L243
Tool used
Manual Review
Recommendation
Consider adding claiming functionality to the
enrollCourier
function that would allow the user to claim from an array of lenders supplied by the user.