Lines of code
Vulnerability details
Proof of Concept
The claim method in PirexRewards iterates over the rewardTokens array for a producerToken. Now this array is completely managed by the contract’s owner who can call addRewardToken which pushes a new value in that array, as many times as he decides with whatever value he decides.
Let’s look at the following scenario:
- Owner has turned malicious or is compromised
- Owner calls addRewardToken a huge amount of times, which results in the rewardTokens array being huge
- Now when a user calls claim the code will take a crazy amount of gas, because it has to iterate over the whole rewardTokens array. Since the amount of gas will possibly be more than the block gas limit, this results in a DoS and the user won’t be able to claim.
Or this scenario:
- Owner has turned malicious or is compromised
- Owner calls addRewardToken with an address that is not really a token
- Now when a user calls claim the code will try to do a call to producer.claimUserReward giving the address of the rewardToken, but since it is not really a token (or maybe it is just a random address with no bytecode) the call will revert. Actually it will always revert, which is a DoS state.
Impact
This is a centralisation vulnerability allowing the owner to stop the user rewards anytime. Since it requires a malicious/compromised owner it is Medium severity
Recommendation
Add a way for the user to claim rewards only from a token he chooses, not to have to go through all reward tokens on each claim.
The text was updated successfully, but these errors were encountered:
All reactions