First Flight #9: Soulmate
First Flight #9
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

The Staking::claimRewards function giving more amount then expected

naman1729

Summary

  • Staking::claimRewards function giving more amount then expected

Vulnerability Details

  • This function giving more amount then expected. According to the documentation, After the claimRewards and withdraws all staking token it will give away weekOfStaking * balancePerSoulmates + balancePerSoulmates. but, expected amount is weekOfStaking * balancePerSoulmates

/// @notice Claim rewards for staking.
/// @notice Users can claim 1 token per staking token per week.
function claimRewards() public {
uint256 soulmateId = soulmateContract.ownerToId(msg.sender);
// first claim
if (lastClaim[msg.sender] == 0) {
lastClaim[msg.sender] = soulmateContract.idToCreationTimestamp(
soulmateId
);
}
// How many weeks passed since the last claim.
// Thanks to round-down division, it will be the lower amount possible until a week has completly pass.
uint256 timeInWeeksSinceLastClaim = ((block.timestamp -
lastClaim[msg.sender]) / 1 weeks);
if (timeInWeeksSinceLastClaim < 1)
revert Staking__StakingPeriodTooShort();
lastClaim[msg.sender] = block.timestamp;
// Send the same amount of LoveToken as the week waited times the number of token staked
@> uint256 amountToClaim = userStakes[msg.sender] *
timeInWeeksSinceLastClaim;
loveToken.transferFrom(
address(stakingVault),
msg.sender,
amountToClaim
);
emit RewardsClaimed(msg.sender, amountToClaim);
}

POC

  • this test is showing the Staking::claimRewards function giving more rewards then expected if someone stake 5 tokens for 5 weeks then he can only have 25 tokens but in the Staking contract a use can have 30 token after calling claimRewards and withdraws function.

function test_Claim__Rewards() public {
uint balancePerSoulmates = 5 ether;
uint weekOfStaking = 5;
_depositTokenToStake(balancePerSoulmates);
vm.prank(soulmate1);
vm.expectRevert();
stakingContract.claimRewards();
vm.warp(block.timestamp + weekOfStaking * 1 weeks + 1 seconds);
vm.prank(soulmate1);
stakingContract.claimRewards();
vm.prank(soulmate1);
stakingContract.withdraw(balancePerSoulmates);
console.log(loveToken.balanceOf(soulmate1), weekOfStaking * balancePerSoulmates);
assertTrue(
loveToken.balanceOf(soulmate1) ==
weekOfStaking * balancePerSoulmates
);
}

Impact

  • Giving more tokens then expected

Tools Used

  • Manual Review

Recommendations

  • we can do this change to correct the more giving amount.

function claimRewards() public {
uint256 soulmateId = soulmateContract.ownerToId(msg.sender);
// first claim
if (lastClaim[msg.sender] == 0) {
lastClaim[msg.sender] = soulmateContract.idToCreationTimestamp(
soulmateId
);
}
// How many weeks passed since the last claim.
// Thanks to round-down division, it will be the lower amount possible until a week has completly pass.
uint256 timeInWeeksSinceLastClaim = ((block.timestamp -
lastClaim[msg.sender]) / 1 weeks);
if (timeInWeeksSinceLastClaim < 1)
revert Staking__StakingPeriodTooShort();
lastClaim[msg.sender] = block.timestamp;
// Send the same amount of LoveToken as the week waited times the number of token staked
uint256 amountToClaim = userStakes[msg.sender] *
+ timeInWeeksSinceLastClaim - userStakes[msg.sender];
- timeInWeeksSinceLastClaim;
loveToken.transferFrom(
address(stakingVault),
msg.sender,
amountToClaim
);
emit RewardsClaimed(msg.sender, amountToClaim);
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.