Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-05-AURA-FINDINGS-ISSUES-50
HistoryMay 15, 2022 - 12:00 a.m.

User can forfeit other user rewards

2022-05-1500:00:00
Code4rena
github.com
4
JSON

Lines of code

Vulnerability details

Impact

User can forfeit other user rewards by giving a higher _startIndex in getReward function

Proof of Concept

  1. Assume User B has not received any reward yet so that his userClaims[_token][User B]=0
  2. User A calls getReward function with _account as User B and _startIndex as 5
  3. This eventually calls _allClaimableRewards at ExtraRewardsDistributor.sol#L213 which computes epochIndex =5>0?5:0 = 5
  4. Assuming tokenEpochs is 10 and latestEpoch is 8, so reward will computed from epoch 5 till epoch index 7 and _allClaimableRewards will return index as 7
  5. _getReward will simply update userClaims[_token][User B] with 7
  6. This is incorrect because as per contract User B has received reward from epoch 0-7 even though he only received reward for epoch 5-7

Recommended Mitigation Steps

Do not allow users to call getReward function for other users

The text was updated successfully, but these errors were encountered:

šŸ‘ 1 0xMaharishi reacted with thumbs up emoji

All reactions

  • šŸ‘ 1 reaction
JSON