In collectReward(), parameter _collectedRewards[msg.sender] not updating correctly.
Summary
The mapping below is not updated correctly. It should be tracking the rewards received but instead of adding to the previous, it replaces them.
_collectedRewards[msg.sender] = amountRewards;
Vulnerability Details
Assume the scenario where user has count = 3, then he will receive (3/3-0)= 1 reward token and _collectedRewards[msg.sender]==1;
Then if he has count = 5, he will receive ( 5/3 - 1) = 1 - 1 = 0 reward token and _collectedRewards[msg.sender]==0;
Then if he has count = 6, he will receive (6/3 - 0) = 2 reward tokens.
So for 6 martenitsaToken he receives total 3 reward tokens which is wrong.
Impact
This causes an issue where the cumulative rewards collected by the sender are not tracked correctly over multiple calls to collectReward(). Instead, it resets the reward count each time, which can lead to incorrect calculations of rewards, especially if the function is meant to track total rewards over time.
Tools Used
Visual inspection
Recommendations
replace
_collectedRewards[msg.sender] = amountRewards;
with
_collectedRewards[msg.sender] += amountRewards;
Lead Judging Commences
_collectedRewards is not updated correctly
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.