This repository has been archived by the owner on Jul 21, 2024. It is now read-only.
novaman33 - Unhandled return value of transferFrom in topUp()
in StakingRewardsManager.sol
can lead to users being denied their rewards
#8
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
novaman33
medium
Unhandled return value of transferFrom in
topUp()
inStakingRewardsManager.sol
can lead to users being denied their rewardsSummary
Unhandled return value of transferFrom in
topUp()
inStakingRewardsManager.sol
can lead to users unable to claim their rewards, becausenotifyRewardAmount()
will not revert if there is balance left by users who have not claimed their rewards yet.Vulnerability Detail
topUp
usestransferFrom
which may return false if the transfer did succeed. However the return value oftransferFrom()
is not checked which will lead to the execution of thenotifyRewardAmount()
. InStakingRewards.sol
the functionnotifyRewardAmount()
does the following check:However if there are still rewards unclaimed by users from a previous stake, the
notifyRewardAmount()
will not revert. As a result the contract will be put in a state in which the reward it has do not satisfy the user's needs and users will be denied their rewards.Prove of concept:
Consider the following scenario:
---RewardsAmount is set to 100 and RewardsDuration is set to 7 days
source
that has enoughrewardToken
for thetransferFrom()
to be successfulearned()
which returns 100, but does not claim the reward leaving it in theStakingRewards
contract.source
does not have enough reward tokens. However the transaction does not revert because the check innotifyRewardsAmount
returns true as the balance of the contract's rewardToken is equal to theRewardsAmount
.earned()
which returns 200, but when she tries to call claim, the transaction reverts asStakingRewards
has less tokens than what Alice tries to get.Impact
The contract is put in a state in which users cannot get their rewards. Therefore I consider it Medium.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol?plain=1#L267
Tool used
Manual Review
Recommendation
Replace the use of
transferFrom()
in line 267 inStakingRewardsManager.sol
withIERC20(rewardToken).safeTransferFrom()
The text was updated successfully, but these errors were encountered: