leastwood
The claimRewards function is called upon by ticket holders who parse a set of _epochIds they wish to claim rewards on. An internal call is made to _calculateRewardAmount to calculate the correct reward amount owed to the user. Subsequently, the _updateClaimedEpoch function will set the epoch bit of the tracked _claimedEpochs mapping, ensuring an epochId cannot be claimed twice for a given promotion.
However, there may be inaccuracies in the _calculateRewardAmount function, which results in more tokens being sent out than allocated by a promotion creator. This severely impacts the ability for users to claim their owed tokens on other promotions.
function claimRewards(
address _user,
uint256 _promotionId,
uint256[] calldata _epochIds
) external override returns (uint256) {
Promotion memory _promotion = _getPromotion(_promotionId);
uint256 _rewardsAmount;
uint256 _userClaimedEpochs = _claimedEpochs[_promotionId][_user];
for (uint256 index = 0; index < _epochIds.length; index++) {
uint256 _epochId = _epochIds[index];
require(
!_isClaimedEpoch(_userClaimedEpochs, _epochId),
"TwabRewards/rewards-already-claimed"
);
_rewardsAmount += _calculateRewardAmount(_user, _promotion, _epochId);
_userClaimedEpochs = _updateClaimedEpoch(_userClaimedEpochs, _epochId);
}
_claimedEpochs[_promotionId][_user] = _userClaimedEpochs;
_promotion.token.safeTransfer(_user, _rewardsAmount);
emit RewardsClaimed(_promotionId, _epochIds, _user, _rewardsAmount);
return _rewardsAmount;
}
Manual code review.
Consider checking that the total rewards claimed for a given promotion is strictly <= than the total allotted balance provided by the promotion creator. This should help prevent a single promotion from affecting the rewards claimable from other promotions.
The text was updated successfully, but these errors were encountered:
All reactions