sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Closed sherlock-admin closed 7 months ago
sherlock-admin2
commented
7 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
noslav
commented
7 months ago 
nevillehuang
commented
6 months ago Invalid, this is probably the best case scenario to avoid users losing rewards, so an explicit require check is not required
cheatcode
medium
Lack of Balance Validation Before Token Transfer
Summary
The
_redeemRewardsfunction in theOperationalStakingcontract does not adequately check that the contract has enough tokens to fulfill redemption requests. This can lead to failed transactions and negative user experiences.Vulnerability Detail
The
_redeemRewardsinternal function calculates the reward amount, emits a redemption event, and transfers tokens to the beneficiary. However, it does not verify that the contract's token balance can cover the transfer.Impact
If the contract balance is insufficient, the
_transferFromContractcall will fail. This causes transaction failure, gas wastage for users, and loss of trust due to frequent errors.Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L589
Tool used
Manual Review
Recommendation
Verify contract token balance before transfer