The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

claimRewards will fail if the reward recipient is blocklisted in USDT.

oceansky

Summary

If the protocol use USDT as accepted collateral asset, claimRewards will fail because the reward recipient is blocklisted in USDT.

Vulnerability Details

claimRewards in liquidation pool contract serves as the final step in liquidation process wherein the pool holders will receive their allocated rewards in the form of discounted liquidated assets. However, this function can be reverted or fail in execution if rewards are in USDT and the recipient (pool holder) has been blocklisted to receive USDT token.

Please look at line 193 of code below where it calls the transfer of erc20 token (e.g. USDT) to msg.sender, the msg.sender is the destination address of the blocklisted recipient.

File: LiquidationPool.sol

182: function claimRewards() external {

183: ITokenManager.Token[] memory _tokens = ITokenManager(tokenManager).getAcceptedTokens(); //assign of array of collateral accepted assets

184: for (uint256 i = 0; i < _tokens.length; i++) { // looping in array of assets

185: ITokenManager.Token memory _token = _tokens[i];

186: uint256 _rewardAmount = rewards[abi.encodePacked(msg.sender, _token.symbol)];

187: if (_rewardAmount > 0) {

188: delete rewards[abi.encodePacked(msg.sender, _token.symbol)]; // deletes the rewards per msg.sender to avoid over rewarding

189: if (_token.addr == address(0)) {

190: (bool _sent,) = payable(msg.sender).call{value: _rewardAmount}(""); // if 0 address, sent native asset to msg.sender

191: require(_sent);

192: } else {

193: IERC20(_token.addr).transfer(msg.sender, _rewardAmount); // or else send the erc20 tokens to msg.sender

194: }

195: }

Impact

If the claimRewards will fail, the rewards in the form of USDT will be trapped inside the liquidity pool contract.
Therefore the proper recipient will also lost his rewards.

Tools Used

Manual review

Recommendations

Introduce an input parameter to specify the destination address for the ERC-20 USDT transfer in the claimRewards function.
This can give the msg.sender (reward recipient) the option to put another address which can receive USDT token.

function claimRewards(address _destination) external {

// ... existing code ...

IERC20(_token.addr).transfer(_destination, _rewardAmount);

// ... existing code ...

}

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

informational/invalid

oceansky Submitter

over 1 year ago

hrishibhat Lead Judge

over 1 year ago

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.