SdtRewardReceiver.claimMultipleStaking: rewards will be locked when called with zero sdtRewardCount
Summary
When SdtRewardReceiver.claimMultipleStaking is called with sdtRewardCount as zero, the rewards for the user will be locked in SdtRewardReceiver and cannot be recovered.
Vulnerability Detail
The SdtRewardReceiver.claimMultipleStaking collects rewards from the given staking contracts and transfers the rewards to the msg.sender.
One of the parameters for the function call is sdtRewardCount, which will be used to initiate an array for the _totalSdtClaimable. The array is used to track the reward tokens and their amount for the msg.sender.
For the claimMultipleStaking function to work, the parameter sdtRewardCount should be big enough, so that all the reward tokens for the msg.sender can fit into the _totalSdtClaimable array. For example, if the msg.sender's rewards would be USDC, USDT and DAI, then the sdtRewardCount should be bigger or equal to 3, otherwise the check on the line 180 will revert.
However, if the parameter sdtRewardCount is zero, the loop from line 158 to 185 will not happen at all, therefore the check for on the line 180 will not be triggered.
As the result, the _totalSdtClaimable is zero length array and no rewards will be transferred to the msg.sender, even though all the rewards will be marked as claimed by calling sdtStaking.claimCvgSdtMultiple in the line 144. The user cannot recover the locked rewards.
If a user calls SdtRewardReceiver.claimMultipleStaking with the call parameter sdtRewardCount as zero, the rewards for the call will be locked in the SdtRewardReceiver and cannot be recovered.
lemonmon
medium
SdtRewardReceiver.claimMultipleStaking: rewards will be locked when called with zerosdtRewardCountSummary
When
SdtRewardReceiver.claimMultipleStakingis called withsdtRewardCountas zero, the rewards for the user will be locked inSdtRewardReceiverand cannot be recovered.Vulnerability Detail
The
SdtRewardReceiver.claimMultipleStakingcollects rewards from the given staking contracts and transfers the rewards to the msg.sender. One of the parameters for the function call issdtRewardCount, which will be used to initiate an array for the_totalSdtClaimable. The array is used to track the reward tokens and their amount for the msg.sender.For the
claimMultipleStakingfunction to work, the parametersdtRewardCountshould be big enough, so that all the reward tokens for the msg.sender can fit into the_totalSdtClaimablearray. For example, if the msg.sender's rewards would be USDC, USDT and DAI, then thesdtRewardCountshould be bigger or equal to 3, otherwise the check on the line 180 will revert.However, if the parameter
sdtRewardCountis zero, the loop from line 158 to 185 will not happen at all, therefore the check for on the line 180 will not be triggered.https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Staking/StakeDAO/SdtRewardReceiver.sol#L158-L185
As the result, the
_totalSdtClaimableis zero length array and no rewards will be transferred to the msg.sender, even though all the rewards will be marked as claimed by callingsdtStaking.claimCvgSdtMultiplein the line 144. The user cannot recover the locked rewards.https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Staking/StakeDAO/SdtRewardReceiver.sol#L144-L147
Impact
If a user calls
SdtRewardReceiver.claimMultipleStakingwith the call parametersdtRewardCountas zero, the rewards for the call will be locked in theSdtRewardReceiverand cannot be recovered.Code Snippet
https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Staking/StakeDAO/SdtRewardReceiver.sol#L158-L185
https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Staking/StakeDAO/SdtRewardReceiver.sol#L144-L147
Tool used
Manual Review
Recommendation
Check whether the call parameter
sdtRewardCountfor the functionSdtRewardReceiver.claimMultipleStakingis zero. And if it is zero, revert.Duplicate of #152