DittoETH

Summary

Anyone can keep claiming the yield since there is no restriction to check whether user has claimed the yield or not

Vulnerability Details

Users can call distributeYield function in YieldFacet contract to claim their yields from different short records, this function loop through the inputed assets and call _distributeYield internal function which calculates the accrued yeild for user based on their collateral and the YieldRate uint88 shortYield = short.collateral.mulU88(zethYieldRate - short.zethYieldRate); after that _claimYield function will be invoked to update the user's balance with the rewarded yield, however the problem is there is no state variable updated pointing to whether user has calimed their yield or when was the last calimed yield this provide opportunity for malicious user keep calling distributeYield function and claim the yield unlimetedly.

Impact

Attacker can keep caliming the yield till he drains all of the funds from contract

Tools Used

Manual Review

Recommendations

Consider adding a new state variable called lastClaimed and set it to current timestamp whenever user has claimed the yield for specific short record and you can calculate the yield based on the passed time from last claimed or only allow caliming the yield eg: each 20 days, it's up to you what approach you want to take