It is possible that block.timestamp can be manipulted by a user, thus allowing a malicious user to continuously acrue rewards they are not due, as long as the value is not 0 then rewards will be accrued
function userAccrue(ERC20 producerToken, address user) public {
if (address(producerToken) == address(0)) revert ZeroAddress();
if (user == address(0)) revert ZeroAddress();
UserState storage u = producerTokens[producerToken].userStates[user];
uint256 balance = producerToken.balanceOf(user);
// Calculate the amount of rewards accrued by the user up to this call
uint256 rewards = u.rewards +
u.lastBalance *
(block.timestamp - u.lastUpdate);
u.lastUpdate = block.timestamp.safeCastTo32();
u.lastBalance = balance.safeCastTo224();
u.rewards = rewards;
emit UserAccrue(producerToken, user, block.timestamp, balance, rewards);
}
the following math means that as long as block.timesamp - u.lastUpdate is >0 rewards will be accrued which can be withdrawn at any time and will be rewards this user is not due
// Calculate the amount of rewards accrued by the user up to this call
uint256 rewards = u.rewards +
u.lastBalance *
(block.timestamp - u.lastUpdate);
static code audit
Save the last timestamp to a mapping and do not allow it to be updated unless rewardClaimed == true, make users withdraw any rewards acrued before allowing an update to values which maybe used to acrue rewards or increase reward values as a matter of course.
The text was updated successfully, but these errors were encountered:
All reactions