Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-03-NEOTOKYO-FINDINGS-ISSUES-432
HistoryMar 15, 2023 - 12:00 a.m.

User Rewards will be lost in case of Withdraw

2023-03-1500:00:00
Code4rena
github.com
5
vulnerability impact
user rewards
unclaimed rewards
withdraw process
mitigation steps
manual review
token staking
security document
JSON

Lines of code
<https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1584&gt;
<https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1519&gt;
<https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1388&gt;

Vulnerability details

Impact

User loses his unclaimed rewards
If user withdraw all of his staked tokens he won’t be able to claim rewards

Proof of Concept

the point is used to calculate user rewards and when a user withdraw all of its staked tokens the point will be set to zero and this make him unable to claim rewards because β€˜uint256 share = points * _PRECISION / pool.totalPoints * totalReward;’ formula in getRewardPool that calculates user rewards will be zero and user can’t claim his unclaimed rewards .

Tools Used

Manual Review

Recommended Mitigation Steps

Consider claiming underlying reward in withdraw process .

The text was updated successfully, but these errors were encountered:

All reactions

JSON