Lines of code

Vulnerability details

Impact

It is possible that block.timestamp can be manipulted by a user, thus allowing a malicious user to continuously acrue rewards they are not due, as long as the value is not 0 then rewards will be accrued

function userAccrue(ERC20 producerToken, address user) public {
    if (address(producerToken) == address(0)) revert ZeroAddress();
    if (user == address(0)) revert ZeroAddress();

    UserState storage u = producerTokens[producerToken].userStates[user];
    uint256 balance = producerToken.balanceOf(user);

    // Calculate the amount of rewards accrued by the user up to this call
    uint256 rewards = u.rewards +
        u.lastBalance *
        (block.timestamp - u.lastUpdate);

    u.lastUpdate = block.timestamp.safeCastTo32();
    u.lastBalance = balance.safeCastTo224();
    u.rewards = rewards;

    emit UserAccrue(producerToken, user, block.timestamp, balance, rewards);

}

the following math means that as long as block.timesamp - u.lastUpdate is >0 rewards will be accrued which can be withdrawn at any time and will be rewards this user is not due

// Calculate the amount of rewards accrued by the user up to this call
    uint256 rewards = u.rewards +
        u.lastBalance *
        (block.timestamp - u.lastUpdate);

Tools Used

static code audit

Recommended Mitigation Steps

Save the last timestamp to a mapping and do not allow it to be updated unless rewardClaimed == true, make users withdraw any rewards acrued before allowing an update to values which maybe used to acrue rewards or increase reward values as a matter of course.

The text was updated successfully, but these errors were encountered:

All reactions