Submission Details
Severity:
`Distribution::claim` users can claim for others losing their funds.
Summary
The Distribution::claim function allows users to claim rewards for other users which makes them lose funds.
Vulnerability Details
The problem is that the function is payable and msg.value will be sent to L1Sender. Therefore, if one user decides to claim rewards, but inputs the wrong address will essentially lose msg.value, since they don't claim the rewards for themselves.
I understand that it can be invalidated cause it's just a user input validation.
Function
@> function claim(uint256 poolId_, address user_) external payable poolExists(poolId_) {
Pool storage pool = pools[poolId_];
PoolData storage poolData = poolsData[poolId_];
UserData storage userData = usersData[user_][poolId_];
require(block.timestamp > pool.payoutStart + pool.claimLockPeriod, "DS: pool claim is locked");
uint256 currentPoolRate_ = _getCurrentPoolRate(poolId_);
uint256 pendingRewards_ = _getCurrentUserReward(currentPoolRate_, userData);
require(pendingRewards_ > 0, "DS: nothing to claim");
// Update pool data
poolData.lastUpdate = uint128(block.timestamp);
poolData.rate = currentPoolRate_;
// Update user data
userData.rate = currentPoolRate_;
userData.pendingRewards = 0;
// Transfer rewards
@> L1Sender(l1Sender).sendMintMessage{value: msg.value}(user_, pendingRewards_, _msgSender());
emit UserClaimed(poolId_, user_, pendingRewards_);
}
Impact
Users will lose some funds, but not much.
Tools Used
Manual Review
Recommendations
Add a check that msg.sender == user:
function claim(uint256 poolId_, address user_) external payable poolExists(poolId_) {
+ require(_msgSender() == user);
[code]
}
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.