MorpheusAI

MorpheusAI
Foundry
22,500 USDC
View results
Submission Details
Severity: high
Invalid

`Distribution`._withdraw function can lose user reward

Summary

When a user withdraw token from a pool, the Distribution._withdraw function can lose user reward if a user make 2 withdrawals in a row without claiming his pending reward in the meantime.

Vulnerability Details

at line 273 of the file Distribution.sol

userData.pendingRewards = pendingRewards_;

Impact

High impact because previous pending reward will be overwritten.

Tools Used

Reading the code

Recommendations

- userData.pendingRewards = pendingRewards_;
+ userData.pendingRewards += pendingRewards_;
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.