Any address that has nonzero reward for a token _tokens[i] is able to drain all contact token funds if the transfer function is reentrant (for example, ERC777 token). As _tokens[i] is an arbitrarily implemented, a reentrant transfer function can be assumed to be present among all _tokens.
Let there be an address addr that is a contarct and has its reward pushed on token token that has a hookable transfer function.
An exploiter created the addr contract in a way that it hooked the transfer function if tokens are sent to it from ConcurRewardPool. Contract can be called to claimRewards from ConcurRewardPool with a list of length 1, consisting of token. When a transfer occurs, the hook passes control back to the addr, which can call claimRewards again with the same argument and payout the same amount as reward[msg.sender][_tokens[i]] asn’t been yet modified.
Manual analysis
Swap lines 37 and 38 in the claimRewards implementation.
The text was updated successfully, but these errors were encountered:
All reactions