LiquidatioPool: claimRewards() not possible when transfer fails
Summary
LiquidationPool: claimRewards() not possible when transfer fails
Vulnerability Details
claimRewards() loops through accepted tokens array and transfer each tokens to the sender.
When one of those transfers fails, the whole rewarding process therefore fails. There are multiple reasons why a transfer could fail: 1.) Blocked addresses (e.g., USDC) 2.) The balance of the asset is 0 inside the pool because all have been borrowed, but it is still listed under asset Some tokens revert for zero value transfers (see https://github.com/d-xo/weird-erc20) 3.) Paused tokens 4.) Upgradeable tokens that changed the implementation.
Impact
Rewards distribution can be DoSed. In certain conditions, this might even be triggerable by the user. For instance, a user could try to get on the USDC blacklist to avoid liquidations.
Tools Used
Manual review
Recommendations
Catch reversions for the transfer and skip this asset (but it could be kept in the assets list to allow retries later on).
Lead Judging Commences
informational/invalid
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.