Lines of code

Vulnerability details

Proof of Concept

The claim method in PirexRewards iterates over the rewardTokens array for a producerToken. Now this array is completely managed by the contract’s owner who can call addRewardToken which pushes a new value in that array, as many times as he decides with whatever value he decides.

Let’s look at the following scenario:

1. Owner has turned malicious or is compromised
2. Owner calls addRewardToken a huge amount of times, which results in the rewardTokens array being huge
3. Now when a user calls claim the code will take a crazy amount of gas, because it has to iterate over the whole rewardTokens array. Since the amount of gas will possibly be more than the block gas limit, this results in a DoS and the user won’t be able to claim.

Or this scenario:

1. Owner has turned malicious or is compromised
2. Owner calls addRewardToken with an address that is not really a token
3. Now when a user calls claim the code will try to do a call to producer.claimUserReward giving the address of the rewardToken, but since it is not really a token (or maybe it is just a random address with no bytecode) the call will revert. Actually it will always revert, which is a DoS state.

Impact

This is a centralisation vulnerability allowing the owner to stop the user rewards anytime. Since it requires a malicious/compromised owner it is Medium severity

Recommendation

Add a way for the user to claim rewards only from a token he chooses, not to have to go through all reward tokens on each claim.

The text was updated successfully, but these errors were encountered:

All reactions