The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

`claimRewards` / `findRewards` functions are vulnerable to read only reentrancy

cosine

Summary

The claimRewards function inside the LiquidationPool contract can be used by stakers to claim their rewards. As native ether is transferred to the user during this function call, reentering is possible. This function and the findRewards function both do not implement a reentrancy guard. Therefore, an external contract could read from findRewards while the rewards are currently being withdrawn.

Vulnerability Details

Here we can see both functions and that claimRewards allows reentering when receiving native ether, while findRewards reads from the same mapping and both miss a reentrancy guard:

function claimRewards() external {

ITokenManager.Token[] memory _tokens = ITokenManager(tokenManager).getAcceptedTokens();

for (uint256 i = 0; i < _tokens.length; i++) {

ITokenManager.Token memory _token = _tokens[i];

uint256 _rewardAmount = rewards[abi.encodePacked(msg.sender, _token.symbol)];

if (_rewardAmount > 0) {

delete rewards[abi.encodePacked(msg.sender, _token.symbol)];

if (_token.addr == address(0)) {

(bool _sent,) = payable(msg.sender).call{value: _rewardAmount}("");

require(_sent);

} else {

IERC20(_token.addr).transfer(msg.sender, _rewardAmount);

}

function findRewards(address _holder) private view returns (Reward[] memory) {

ITokenManager.Token[] memory _tokens = ITokenManager(tokenManager).getAcceptedTokens();

Reward[] memory _rewards = new Reward[](_tokens.length);

for (uint256 i = 0; i < _tokens.length; i++) {

_rewards[i] = Reward(_tokens[i].symbol, rewards[abi.encodePacked(_holder, _tokens[i].symbol)], _tokens[i].dec);

}

return _rewards;

}

Therefore, a read only reentrancy possibility occurs.

Impact

The missing guards could lead to critical vulnerabilities in third party protocols that want to build on top of the standard.

Recommendations

Implement a reentrancy guard in the claimRewards function and a read only reentrancy guard in the findRewards function.

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

claims-reentrancy

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!