MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

The claim function is permissionless. Allowing everyone to claim the pendingRewards for any user.

arsenlupin

Summary

The malicious user can claim someones rewards without the notice of actual owner of this rewards

Vulnerability Details

Imagine the situation where the users stakes the tokens and what to hold them until certain time to gain the rewards, he has no purpose to claim it. However the malicious user can intersect it and without the notice claim the rewards. This will proceed through the L1Sender.sol 'sendMintMessage' exactly to the L2MessageReceiver where the tokens will be minter to the user who has the reward. Since the attacker can't exactly steal the rewards he could cause a lot of inconvenience for the actual staker. Additionally, if the malicious user send not enough gas the tx can be stuck in the L2MessageReceiver and the actual user must call the 'retryMessage' function to retrieve the funds. I

Impact

The users reward could be claimed untimely without the notice, causing a lot of inconvenience

Tools Used

Manual Review

Recommendations

Make that only the msg.sender can claim the rewards

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.