29 matches found
Any user can claim rewards infinitely from the market without respecting the accrued rewards time
Lines of code Vulnerability details Impact calculateSupplyRewardsForUser updates the user accrued rewards based on the user balance of mTokens & on global and user indicies difference which is the time difference between the last reard claim and the current time . Comptroller contract: one of the...
setBooster() function may be used to steal unclaimed rewards in FlywheelCore contract
Lines of code Vulnerability details Lines of code Vulnerability details Impact A malicious owner can steal all unclaimed rewards and break the reward accounting mechanism Proof of Concept Even if the owner is a good guy but the fact that there exists a rug vector available may negatively impact t...
Lack of Access Control in claimRewards Function
Lines of code Vulnerability details Impact The calculateNewRewards function should also check whether the rewardsCapped variable is greater than the rewardsClaimedInEpoch variable to ensure that rewards are not claimed that exceed the reward cap, because an attacker could exploit this vulnerabili...
Users may lose rewards
Lines of code Vulnerability details Impact In RewardsManager.sol we have claimRewards function: function claimRewards uint256 tokenId, uint256 epochToClaim external override StakeInfo storage stakeInfo = stakestokenId; if msg.sender != stakeInfo.owner revert...
Loss of reward for stakingRewardRecipient
Lines of code Vulnerability details Impact Anyone can call claimRewards function with rewardType = LotteryRewardType.STAKING, in which function LotteryMath.calculateRewards is used to calculate reward to transfer to beneficiary. By observing number of ticketsSold calculated from the...
Attacker can cause loss to rToken holders and stakers by running BackingManager._manageTokens before rewards are claimed
Lines of code Vulnerability details Impact The assets that back the rTokens are held by the BackingManager and can earn rewards. The rewards can be claimed via the TradingP1.claimRewards and TradingP1.claimRewardsSingle function. The BackingManager inherits from TradingP1 and therefore the above...
Risk of reentrancy attacks in the claimRewards function
Lines of code Vulnerability details Impact The claimRewards function in the MultiRewardStaking contract is used by users to claim token rewards, but because the function does not contain a nonReentrant modifier and does not implement the CEI standard check-effect-interact it can be subject to...
claimRewards is not re-entrancy safe.
Lines of code Vulnerability details Impact In MultiRewardStaking the function claimRewards doesn’t have nonReentrant which makes it possible to re-enter the function. If one of the reward tokens in ERC-777 token, it is possible to re-enter and claim the reward again and again until the contract i...
reentrancy in MultiRewardStaking::claimRewards for tokens with transfer callbacks, like erc777
Lines of code Vulnerability details Impact An attacker can drain all the tokens from MultiRewardStaking Proof of Concept In claimtRewards important state changes are done after interactions with tokens: File: MultiRewardStaking.sol function claimRewardsaddress user, IERC20 memory rewardTokens...
Overflow tokens
Lines of code Vulnerability details Impact If admin will add more than 255 tokens in rewardToken, there would'nt any way to withdraw tokens or claim rewards Proof of Concept for example: all users deposit their money.After some time admin's add more tokensa, length of array with Token grow's to...
RewardTokens can be locked in MultiRewardStaking contract when the rewardsEndTimestamp of the rewardsTokens are different.
Lines of code Vulnerability details Impact To claim reward tokens from the MultiRewardStaking contract deployed, a user must call claimRewardsaddress user, IERC20 memory rewardsTokens. The rewardsTokens array is populated with getAllRewardsTokens which returns all the reward Tokens the...
MultiRewardStaking claimRewards() reentrancy for ERC-777 reward tokens
Lines of code Vulnerability details Impact A hacker can drain an ERC-777 reward token funds via reentrancy. This is because in the claimRewards function, the transfer of the reward token which triggers the hacker's ERC-777 hook takes place before setting accruedRewardsuserrewardTokensi to zero...
AuraClaimZap's claimRewards can permanently freeze user Aura funds
Lines of code Vulnerability details If claimRewards is called with depositCvxMaxAmount 0 and Options.LockCvx == false, the up to depositCvxMaxAmount AURA tokens are pulled from the user, but never get staked. There looks to be no way to retrieve Aura tokens ended up on AuraClaimZap balance this...
Owner or Managers can rug Aave rewards
Lines of code Vulnerability details Impact A malicious owner or manager can steal all Aave rewards that are meant for PoolTogether users Even if the user is benevolent the fact that there is a rug vector available may negatively impact the protocol's reputation. Proof of Concept File:...
claimRewards() may have a rug risk.
Lines of code Vulnerability details Impact Although claimRewards is supposed to be called by the owner or managers to claim the rewards, it still could be a "rug risk". The owner or managers can take all the rewards unconditionally. Proof of Concept function claimRewardsaddress to external...
Owner can steal rewards
Lines of code Vulnerability details Impact Users may not get their AAVE rewards Proof of Concept The claimRewards function allows the owner to send any rewards distributed by AAVE to any address. The rewards are being earned using user's funds but they aren't returned back to users and the owner...
Manager or owner can send rewards to any address
Lines of code Vulnerability details Impact In the claimRewards function, manager or owner can send rewards to any address. function claimRewardsaddress to external onlyManagerOrOwner returns bool requireto != address0, "AaveV3YS/payee-not-zero-address"; address memory assets = new address; assets...
Reentrency in claimRewards in ConcurRewardPool
Judge @GalloDaSballo has assessed the 1st item in QA Report 163 as Medium risk. The relevant finding follows: … Reentrency in claimRewards in ConcurRewardPool The function claimRewards is open to reenterncy, if the safeTransfer function of a token calls the claimRewards again the tokens can be...
claimRewards() didnt follow the safe check effect pattern
Judge @GalloDaSballo has assessed the 2nd item in QA Report 230 as Medium risk. The relevant finding follows: … Impact a user can claim a reward by calling the claimRewards, however this function didnt follow the correct check effect pattern, where the zero address is set after making an external...
Potential reentrance in claimRewards
Judge @GalloDaSballo has assessed the 1st item in QA Report 36 as Medium risk. The relevant finding follows: … POC IERC20tokensi.safeTransfermsg.sender, getting; rewardmsg.sendertokensi = 0; Considering there are exterTokens, it is possible that some token will provide reentry opportunities...