rewardTokens
can be removed by owner without claiming them first
#100
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-271
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexRewards.sol#L179
https://github.com/code-423n4/2022-11-redactedcartel/blob/03b71a8d395c02324cb9fdaf92401357da5b19d1/src/PirexRewards.sol#L387
Vulnerability details
Impact
Any unclaimed rewardTokens will be unclaimable once a
rewardToken
has been removed fromproducerTokens[producerToken].rewardTokens
list.Proof of Concept
The owner can call
removeRewardToken
to remove anyrewardToken
from aproducerToken
. However, if therewardToken
still has unclaimed rewards, as evidenced byproducerTokens[producerToken].rewardStates
, these rewards will be unclaimable.The
claim
function, once identified theproducerToken
, loops throughrewardTokens
list and claims rewards as marked inrewardStates[rewardToken]
. However, if a rewardToken has been removed, even ifrewardStates[rewardToken]
is non-zero, it would not be claimable.Tools Used
manual
Recommended Mitigation Steps
Check
require(rewardStates[rewardTokens[removalIndex]] == 0)
before removing the unwanted rewardToken.The text was updated successfully, but these errors were encountered: