First Flight #9: Soulmate
First Flight #9
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

The claimRewards function in the Staking contract doesn't enforce a minimum staking period of one week, enabling users to claim rewards prematurely.

0xVinylDavyl

Summary

The claimRewards function in the Staking contract allows users to claim rewards even if the staking period is shorter than one week. This vulnerability could lead to users claiming rewards prematurely, potentially exploiting the reward system.

Vulnerability Details

The claimRewards function does not enforce a minimum staking period of one week before allowing users to claim rewards. This lack of validation allows users to claim rewards regardless of the actual duration of their staking period.

/// @notice Claim rewards for staking.
/// @notice Users can claim 1 token per staking token per week.
function claimRewards() public {
uint256 soulmateId = soulmateContract.ownerToId(msg.sender);
// first claim
if (lastClaim[msg.sender] == 0) {
lastClaim[msg.sender] = soulmateContract.idToCreationTimestamp(
soulmateId
);
}
// How many weeks passed since the last claim.
// Thanks to round-down division, it will be the lower amount possible until a week has completly pass.
uint256 timeInWeeksSinceLastClaim = ((block.timestamp -
lastClaim[msg.sender]) / 1 weeks);
if (timeInWeeksSinceLastClaim < 1)
revert Staking__StakingPeriodTooShort();
lastClaim[msg.sender] = block.timestamp;
// Send the same amount of LoveToken as the week waited times the number of token staked
uint256 amountToClaim = userStakes[msg.sender] *
timeInWeeksSinceLastClaim;
loveToken.transferFrom(
address(stakingVault),
msg.sender,
amountToClaim
);
emit RewardsClaimed(msg.sender, amountToClaim);
}
/// @notice Increase the userStakes variable and transfer LoveToken to this contract.
function deposit(uint256 amount) public {
// Check if there are remaining LoveToken rewards in the staking contract vault
if (loveToken.balanceOf(address(stakingVault)) == 0)
revert Staking__NoMoreRewards();
// No require needed because of overflow protection
userStakes[msg.sender] += amount;
loveToken.transferFrom(msg.sender, address(this), amount);
emit Deposited(msg.sender, amount);
}

Impact

The impact of this vulnerability is that users could exploit the reward system by claiming rewards before the minimum staking period of one week has elapsed. This could lead to unfair distribution of rewards and undermine the integrity of the staking mechanism.

Tools Used

No specific tools were used to identify this vulnerability. It was discovered through manual code review and analysis.

Recommendations

Implement a validation check in the claimRewards function to ensure that users can only claim rewards if the staking period is at least one week.
Add a requirement to verify the duration of the staking period before allowing users to claim rewards, preventing premature reward claims.
Consider implementing additional mechanisms such as event notifications or user alerts to notify users when their staking period is eligible for claiming rewards.
Conduct thorough testing and auditing of the contract code to identify and address any additional vulnerabilities or weaknesses that may exist.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.