jonah1005
When the owner deposits reward into the contract, the remainder would not be counted. These dust tokens would be left in the contract.
Thereβs a similar issue in takeOutRewardTokens. Since epochs = amount / allocatedTokensPerEpoch; would be zero if amount < allocatedTokensPerEpoch. The owner can pass the check and withdraw extra reward if set amount < allocatedTokensPerEpoch.
<https://github.com/code-423n4/2021-10-covalent/blob/main/contracts/DelegatedStaking.sol#L100-L115>
None
Recommend to check whether amount % allocatedTokensPerEpoch == 0 in depositRewardTokens.
Itβs a bit trickier in takeOutRewardTokens.
There are a few cases the check would miss. The owner canβt withdraw the token after the endEpoch. The owner can bypass the check by withdrawing a little bit at a time. I recommend the dev redesign this function.
The text was updated successfully, but these errors were encountered:
All reactions