Closed sherlock-admin3 closed 2 months ago
2 comment(s) were left on this issue during the judging contest.
0xmystery commented:
Low/QA at most on an intended design
Hash01011122 commented:
Low/Info, Chances of this to play in actual time is not possible.
zhuying
Medium
claimAccountRewards
could revert if many users want to claim at the same timeSummary
claimAccountRewards
could revert if many users want to claim at the same time.Vulnerability Detail
If a user want to claim reward, he call
claimAccountRewards
._claimAccountRewards
will be called next. In`_claimAccountRewards
:If
emissionRatePerYear
> 0,_accumulateSecondaryRewardViaEmissionRate
will be called.additionalIncentiveAccumulatedPerVaultShare
will be calculated.The average block time for Ethereum and Arbitrum is approximately 12 seconds. If many users want to claim at the same time, min of
timeSinceLastAccumulation
is 12s. Constants.YEAR = 86400 3600 = 31104000. It's very likely that the divisor (timeSinceLastAccumulation uint256(Constants.INTERNAL_TOKEN_PRECISION) state.emissionRatePerYear) is less than the dividend(Constants.YEAR totalVaultSharesBefore). So the function will revert leading to the claim failing.Impact
claimAccountRewards
could revert if many users want to claim at the same time.Code Snippet
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/common/VaultRewarderLib.sol#L383-L387
Tool used
manual
Recommendation
Add check: if the divisor is less than the dividend , then additionalIncentiveAccumulatedPerVaultShare = 0.