When adding a reward token, the token address is added to rewardTokens.
263: rewardTokens.push(rewardToken);
If rewardTokens is large enough, accrueRewards will revert with an out-of-gas error, as it loops through rewardsToken
373: for (uint8 i; i < _rewardTokens.length; i++) {
374: IERC20 rewardToken = _rewardTokens[i];
375: RewardInfo memory rewards = rewardInfos[rewardToken];
376:
377: if (rewards.rewardsPerSecond > 0) _accrueRewards(rewardToken, _accrueStatic(rewards));
378: _accrueUser(_receiver, rewardToken);
379:
380: // If a deposit/withdraw operation gets called for another user we should accrue for both of them to avoid potential issues like in the Convex-Vulnerability
381: if (_receiver != _caller) _accrueUser(_caller, rewardToken);
382: }
This modifier is used for deposits, withdrawals, meaning in such case the core functions will stop working as there is no way to remove elements from rewardTokens, leading to frozen funds in the contract (users unable to withdraw)
Medium
Manual Analysis
Add an appropriate limit to rewardTokens.length in addRewardToken()
The text was updated successfully, but these errors were encountered:
All reactions