Lucene search
K

6 matches found

Code423n4
Code423n4
added 2022/09/19 12:0 a.m.10 views

rewards stuck in StakingRewards because of division rounding error in notifyRewardAmount() and rewardPerToken() and updateReward()

Lines of code Vulnerability details Impact In all functions notifyRewardAmount and rewardPerToken and updateReward there is a division which cause division rounding error and make some rewards to stuck in contract and users don't get their rewards and so users would lose funds. Proof of Concept...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2022/09/19 12:0 a.m.7 views

rewarding is not started after StakingRewards contract deployment and there is no specific time set for contract start time of rewarding, users stacked their funds has no way knowing when is rewarding is going to be started

Lines of code Vulnerability details Impact after StakingRewards the constructor logic set value for rewardRate and rewardsDuration but rewarding is not started for stackers and users has no way to find out when is rewarding going to be started. only reward Distributer can start rewarding process...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/09/19 12:0 a.m.9 views

recoverERC20() in StakingRewards shouldn't allow transfer of rewardToken because it belongs to users who stacked their funds and owner shouldn't be able to immediately withdraw those users funds

Lines of code Vulnerability details Impact rewardToken balance in StakingRewards contract is belongs to staking users and owner shouldn't be able to withdraw all balance of rewardToken immediately, because this can cause users to lose their funds if owner perform this action by intention or by...

6.9AI score
Exploits0
Code423n4
Code423n4
added 2022/06/03 12:0 a.m.9 views

BkdLocker#depositFees() can be front run to steal the newly added rewardToken

Lines of code Vulnerability details Every time the BkdLockerdepositFees gets called, there will be a surge of rewards per locked token for the existing stakeholders. This enables a well-known attack vector, in which the attacker will take a large portion of the shares before the surge, then claim...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/04/29 12:0 a.m.6 views

Function recoverERC20 in StakingRewards allows an owner to transfer out any token except stakingToken

Judge @GalloDaSballo has assessed the 1st item in QA Report 254 as Medium risk. The relevant finding follows: … Function recoverERC20 in StakingRewards allows an owner to transfer out any token except stakingToken. I see 2 problems with this: 1. It should also forbid transferring of rewardsToken,...

6.7AI score
Exploits0
Code423n4
Code423n4
added 2022/02/09 12:0 a.m.9 views

deposit wrong implementation

Lines of code Vulnerability details the user is the user of msg.sender, which is always the StakingRewards contract, instead of recepient. one of the problems that are caused by this is that anyone who deposits, will get the rewards of all the other users, because everyone shares the same user...

6.9AI score
Exploits0
Rows per page
Query Builder