Function claim is vulnerable to Re-enterancy attack by which any malicious user can empty whole pool of claimable(weth) token.
Summary
The function claim in stacking.sol is vulnerable to Re-enterany by which any malicious user who has claimable balance, can empty the whole pool of reward token.
Vulnerability Details
The staking.sol contains the claim function with following code:
in the function claim firstly method updateFor() is used to check if the user who is calling have a claim balance or not if the caller has a claim balance the function transfer the WETH claim token to the caller through transfer() method and then update the claimable balance of caller to 0 this is the only problem here after transfering the WETH reward token the claimable balance of caller gets updated it must be before transfer. Here the malicious user can set a fallback() function calling the claim() method again and the updateFor() again shows the active balance of user because the line
is not been called.
Attack Scenario
Caller with active claim balance call the claim() method and passes the check of updateFor().
After the check claim() transfer the WETH to the caller through transfer(). But the caller address have a fallback function and without giving the transaction success status it calls the claim() again.
it must be set's like this.
Which again calls the claim() without changing the claimable mapping balance of caller address.
Impact
Re-enterancy by which a malicious user can empty the whole pool of claimable WETH tokens.
Tools Used
Manual
Recommendations
Update the claimable balance of the caller to 0 first and then transfer the WETH claimable tokens to the caller address so that if it tries to call the claim() again in the single transaction there is no WETH token for him to claim.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.