Some reward tokens will be lost if the reward token is a rebasing token
Summary
In PointTokenVault, there is a function that allows users to redeem their reward tokens. The problem is that if the reward token is rebasing it means that its balance can change during the time token is in the vault.
Vulnerability Detail
There are rebasing tokens that change its supply according to the market conditions. And they can reflect the different value in different period of time. So let's say the token is a rebasing one and is used inside of the protocol. It's sent to the contract from external protocol and they sit in the vault until they're eventually claimed by the user. Moreover, the amount that user can claim is assigned beforehand:
if (isMerkleBased) {
// If it's merkle-based, only those callers with redemption rights can redeem their point token for rewards.
bytes32 claimHash =
keccak256(abi.encodePacked(REDEMPTION_RIGHTS_PREFIX, msg.sender, pointsId, _claim.totalClaimable));
_verifyClaimAndUpdateClaimed(_claim, claimHash, msg.sender, claimedRedemptionRights);
}
So if the rebasing token was sent into the vault and its balance has changed over time, there will be some leftover in the contract.
Impact
Some tokens will be left inside of the protocol unclaimed as the token balance has changed.
Code Snippet
Tool used
Manual Review.
Recommendation
Explicitly prohibit such tokens or create special functionality to handle them.
Clever Powder Ferret
Low/Info
Some reward tokens will be lost if the reward token is a rebasing token
Summary
In
PointTokenVault
, there is a function that allows users to redeem their reward tokens. The problem is that if the reward token is rebasing it means that its balance can change during the time token is in the vault.Vulnerability Detail
There are rebasing tokens that change its supply according to the market conditions. And they can reflect the different value in different period of time. So let's say the token is a rebasing one and is used inside of the protocol. It's sent to the contract from external protocol and they sit in the vault until they're eventually claimed by the user. Moreover, the amount that user can claim is assigned beforehand:
https://github.com/sense-finance/point-tokenization-vault/blob/dev/contracts/PointTokenVault.sol#L183-189
So if the rebasing token was sent into the vault and its balance has changed over time, there will be some leftover in the contract.
Impact
Some tokens will be left inside of the protocol unclaimed as the token balance has changed.
Code Snippet
Tool used
Manual Review.
Recommendation
Explicitly prohibit such tokens or create special functionality to handle them.