search

sherlock-audit / 2024-06-velocimeter-judging

11 stars 7 forks source link

sonny2k - rewards are lost when merging and withdrawing tokens because the rewards are not claimed before burning the token #682

Closed sherlock-admin4 closed 3 months ago

sherlock-admin4 commented 3 months ago

sonny2k

High

rewards are lost when merging and withdrawing tokens because the rewards are not claimed before burning the token

Summary

rewards are lost when merging or withdrawing tokens because the rewards are not claimed before burning the token.

Vulnerability Detail

Merging or withdrawing tokens requires burning the token. When merging or withdrawing tokens, unclaimed rewards must be claimed before burning the token. This prevents users from losing their rewards when the tokens are burnt. This isn't the case however as unclaimed rewards are not claimed before burning the token. This makes the user's unclaimed rewards to become lost and unclaimable when the tokens are burnt.

Hence, users will lose their rewards when merging or withdrawing tokens because the rewards are not claimed before burning the token. This leads to a permanent freezing of unclaimed rewards as the rewards are lost and unclaimable.

Impact

Permanent freezing of unclaimed rewards

Code Snippet

https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/VotingEscrow.sol#L1195

https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/VotingEscrow.sol#L955

Tool used

Manual Review

Recommendation

Consider claiming the rewards before burning the token

References

This report is inspired by the report from Immunefi Alchemix Boost #30826

Duplicate of #235