The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Staking rewards will not be claimable for removed accepted tokens

flacko

Summary

Rewards from staking for tokens that were once an accepted token but are now not will not be claimable and will essentially be stuck in the LiquidationPool contract until added again back to the accepted tokens set by the token manager.

Vulnerability Details

function claimRewards() external {

→ ITokenManager.Token[] memory _tokens = ITokenManager(tokenManager).getAcceptedTokens();

for (uint256 i = 0; i < _tokens.length; i++) {

ITokenManager.Token memory _token = _tokens[i];

uint256 _rewardAmount = rewards[abi.encodePacked(msg.sender, _token.symbol)];

if (_rewardAmount > 0) {

delete rewards[abi.encodePacked(msg.sender, _token.symbol)];

if (_token.addr == address(0)) {

(bool _sent,) = payable(msg.sender).call{value: _rewardAmount}("");

require(_sent);

} else {

IERC20(_token.addr).transfer(msg.sender, _rewardAmount);

}

When a staker is claiming their rewards the contract fetches all accepted tokens from the token manager and for every token that this user has an allocated reward the contract sends that reward to the user.

If a token however is removed from the acceptedTokens set by the token manager, the rewards for that token will become non-claimable by the user.

Impact

Stakers that don't follow changes in the protocol and are not the first to react will loose the chance to claim their rewards of a token that is getting removed from the accepted tokens set. Even if the protocol announces the removal of that token as an accepted one, there will always be users that'll miss the memo and will loose the chance to claim their rewards.

Tools Used

Manual review

Recommendations

Allow the user to pass an array of token symbols with which they can claim rewards for tokens that are no more part of the acceptedTokens set. This change requires the least changes and introduces least complexity.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

remove-token

hrishibhat Lead Judge

over 1 year ago

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

removetoken-low

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.