search

sherlock-audit / 2024-07-kwenta-staking-contracts-judging

1 stars 0 forks source link

dipp - Users might be unable to receive reward if USDC is recovered from the contract #133

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 1 month ago

dipp

Medium

Users might be unable to receive reward if USDC is recovered from the contract

Summary

If USDC is withdrawn from StakingRewardsV2.sol and their are users with > 0 amount of USDCRewards then the getReward function will revert for those users until there is enough USDC in the contract to send as reward.

Vulnerability Detail

The recoverERC20 function in StakingRewardsV2.sol allows the owner to transfer out any ERC20 tokens that aren't kwenta.

USDC is used as a reward token and is sent to users when they call the getReward function if their rewardsUSDC (which tracks the amount of USDC owed to the account) is > 0. If the USDC balance of the contract is less than the rewards owed to the user then the getReward function reverts when it attempts to transfer USDC.

Impact

Users will be unable to receive their rewards until the contract has enough USDC.

Code Snippet

StakingRewardsV2.sol#L710-L714

StakingRewardsV2.sol#L353-L384

Tool used

Manual Review

Recommendation

Consider not allowing USDC to be recovered in the recoverERC20 function or only transfer USDC in the _getReward function if the balance of USDC in the contract is >= the users owed rewardsUSDC amount.