The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

TokenManager asset blacklist does not allow to claim pending rewards of this asset

carlitox477

Description

Current LiquidationPool::claimRewards allows to claim reward of current whitelisted assets by the token manager.

If any of this asset is blacklisted by the Token Manager, then this rewards will be unclaimable until they are whitelisted again

Impact

Blacklisting a token from TokenManager forbid users of claiming pending rewards in this token

POC

Alice deposit (TST: 10000, EUR: 10000)
1 PAXG and 1 ETH is distributed, alice receive all given she is the only user with a consolidated stake and has enough EUROS to pay for them at a discounted price
After 1 week there are rumors that PAX hasn't enough funds to cover PAXG, therefore the standard decide to blacklist PAXG from token manager
When Alice claim rewards, she only receive 1 ETH, 1 PAXG still in liquidation pool contract. There is no way for Alice to claim her 1 PAXG

Recommended mitigation

Add an emergency claim reward function that allows to claim any rewards from msg.sender as long as thete are pending rewards to claim

function emergencyClaimReward(

bytes32 tokenSymbol

) external{

uint256 _rewardAmount = rewards[abi.encodePacked(msg.sender, tokenSymbol)];

if (_rewardAmount > 0) {

delete rewards[abi.encodePacked(claimer, _token.symbol)];

if (_token.addr == address(0)) {

(bool _sent,) = payable(msg.sender).call{value: _rewardAmount}("");

require(_sent);

} else {

IERC20(_token.addr).transfer(msg.sender, _rewardAmount);

}

In addition, if a token is considered to have a mechanism that can exploit rewards funds token manager can include a mapping forbidenTokens, and if the token is included in this mapping. Then if token

Updates

Lead Judging Commences

hrishibhat Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!