User could not get reward in deleted token
Summary
The function for issuing rewards requests the current list of tokens, and if the reward was in a token that is not currently on the list (the administrator deleted it), then the user will not receive the reward, although this token is on the balance of the contract and could be issued
Vulnerability Details
The LiquidationPool contract stores rewards for users who are stakers in the form of various tokens.
To receive a reward, the user must call the claimRewards() function, which requests a list of tokens - tokenManager.getAcceptedTokens().
The tokenManager contract (TokenManagerMock) has a function with which the owner can add and REMOVE tokens from the list.
Initially, the token was in the list, and on the LiquidationPool contract this token is stored and available for receipt by the user. And then the owner removed this token from the list, then the user will not receive this token and the token will simply be stored on the contract
Impact
The user will not receive all the tokens that he is entitled to
Tools Used
Manual review
Recommendations
The contract must give the user all the tokens that are intended for him. It is necessary that the contract itself stores a list of tokens and also requests it. If new tokens appear, then give them away too.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.