The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

If token is removed from accepted token list, holders are not able to claim rewards

greatlake

Summary

If token is removed from accepted token list, holders are not able to claim rewards.

Vulnerability Details

To claim reward, user need to call LiquidationPool#claimRewards() function:

function claimRewards() external {
    ITokenManager.Token[] memory _tokens = ITokenManager(tokenManager).getAcceptedTokens();
    for (uint256 i = 0; i < _tokens.length; i++) {
        ITokenManager.Token memory _token = _tokens[i];
        uint256 _rewardAmount = rewards[abi.encodePacked(msg.sender, _token.symbol)];
        if (_rewardAmount > 0) {
            delete rewards[abi.encodePacked(msg.sender, _token.symbol)];
            if (_token.addr == address(0)) {
                (bool _sent,) = payable(msg.sender).call{value: _rewardAmount}("");
                require(_sent);
            } else {
                IERC20(_token.addr).transfer(msg.sender, _rewardAmount);
            }   
        }
    }
}

As can see above, user only can claim rewards with token list returned from getAcceptedTokens() function. In the mock contract, it can be seen that owner are also can remove token from list by using function removeAcceptedToken(). Consider scenario:
1, token A is added to accepted token list
2, Vault X is liquidated with token A in the collateral list, holders got token A as a reward
3, token A is removed from accepted token list for various reason (massive price drop, ....)
4, Holders try to claim token but failed

Impact

Holders are not able to claim tokens that removed from accepted token list.

Tools Used

Manual review

Recommendations

Create and using additional token list that only have token address and symbol when add accepted token list and not being removed when token is removed in accepted token list:

function claimRewards() external {
 -  ITokenManager.Token[] memory _tokens = ITokenManager(tokenManager).getAcceptedTokens();
 +  ITokenManager.Token[] memory _tokens = ITokenManager(tokenManager).getTokenLists();

While getTokenLists() function return token list that added when new accepted token is added and seperate from acceptedTokens

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

remove-token

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

removetoken-low

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.