Beedle - Oracle free perpetual lending
BeedleFi
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high

No limit on the amount of reward tokens that can be claimed

Cryptic Snake REACH

Summary

There is no limit on the amount of reward tokens that can be claimed. The balance could be drained.

Vulnerability Details

Reentrancy attack could occur in the claimable function of the Staking.sol. The function could be vulnerable to a reentrancy attack because it calls the updateFor function, which updates the user's index and claimable rewards. If an attacker were to call the claimable function while the updateFor function was still executing, the attacker could potentially withdraw more rewards than they are entitled to.

/// @notice claim rewards
function claim() external {
updateFor(msg.sender);
WETH.transfer(msg.sender, claimable[msg.sender]);
claimable[msg.sender] = 0;
balance = WETH.balanceOf(address(this));
}
/// @notice update the index for a user
/// @param recipient the user to update
function updateFor(address recipient) public {
update();
uint256 _supplied = balances[recipient];
if (_supplied > 0) {
uint256 _supplyIndex = supplyIndex[recipient];
supplyIndex[recipient] = index;
uint256 _delta = index - _supplyIndex;
if (_delta > 0) {
uint256 _share = _supplied * _delta / 1e18;
claimable[recipient] += _share;
}
} else {
supplyIndex[recipient] = index;
}
}

Impact

The balance could be drained

Tools Used

Manual code review

Recommendations

A way to prevent a reentrancy attack is to use the lock statement. The lock statement prevents other functions from being called while the lock statement is executing. This can be used to ensure that the updateFor function has finished executing before the claimable function withdraws rewards. For example, the following code would prevent a reentrancy attack using the lock statement:

function claimable() external {
updateFor(msg.sender);
lock();
WETH.transfer(msg.sender, claimable[msg.sender]);
claimable[msg.sender] = 0;
balance = WETH.balanceOf(address(this));
unlock();
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!