search

sherlock-audit / 2023-10-mzero-judging

3 stars 2 forks source link

pashap9990 - if someone participated in just one epoch it can claim reward for every epoch #44

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

pashap9990

high

if someone participated in just one epoch it can claim reward for every epoch

Summary

Lets assume Alice has participated in an epoch 2 years ago and because of this she got 500,000 zero token and after that she hasn't been participated in any another vote epoch til now and she still can claim reward after two years, this issue will be happen because in getClaimable function in DistributionVault contract we use from pastBalancesOf from zero token to get account balance and pastBalancesOf return last amount snapshot

Vulnerability Detail

Please add this function to end of ttg/test/ZeroToken.t.sol

function test_pastBalancesOfDistribution() external {

        MockERC20 _token1 = new MockERC20();

        DistributionVault _vault = new DistributionVault(address(_zeroToken));

        uint256 currentEpoch_ = _zeroToken.clock();

        //Alice got 1000 zero tokens 2 years ago
        _zeroToken.pushBalance(_alice, currentEpoch_ - 20, 1000);
        _zeroToken.pushTotalSupply(currentEpoch_ - 20, 1000);

        _token1.setBalance(address(_vault), 1_000_000);
        _vault.distribute(address(_token1));

        _warpToNextEpoch();

        uint256[] memory balances_ = _zeroToken.pastBalancesOf(_alice, currentEpoch_, currentEpoch_);
        uint256 supplies_ = _zeroToken.pastTotalSupply(currentEpoch_);
        assertEq(balances_.length, 1);
        assertEq(balances_[0], 1000);
        assertEq(supplies_, 1000);
        //after two years she can claim reward
        assertEq(_vault.getClaimable(address(_token1), _alice, currentEpoch_, currentEpoch_), 1_000_000);

    }

Impact

if someone participated in just one epoch it can claim reward for every epoch

Code Snippet

https://github.com/sherlock-audit/2023-10-mzero/blob/main/ttg/src/DistributionVault.sol#L207

Tool used

Manual Review

Recommendation

we have to check user participated in epoch or not if it hasn't participated we have to return zero in getClaimable function

toninorair commented 7 months ago

This is a design choice. ZERO holders are able to claim distribution of rewards as long as they have non-zero balance of ZERO tokens.