Closed sherlock-admin closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Invalid, this is probably the best case scenario to avoid users losing rewards, so an explicit require check is not required
cheatcode
medium
Lack of Balance Validation Before Token Transfer
Summary
The
_redeemRewards
function in theOperationalStaking
contract does not adequately check that the contract has enough tokens to fulfill redemption requests. This can lead to failed transactions and negative user experiences.Vulnerability Detail
The
_redeemRewards
internal function calculates the reward amount, emits a redemption event, and transfers tokens to the beneficiary. However, it does not verify that the contract's token balance can cover the transfer.Impact
If the contract balance is insufficient, the
_transferFromContract
call will fail. This causes transaction failure, gas wastage for users, and loss of trust due to frequent errors.Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L589
Tool used
Manual Review
Recommendation
Verify contract token balance before transfer