Incorrect Reward Token Selection in _claimPlenty Function
Vulnerability Details
The _claimPlenty function retrieves the reward token by assuming that the Well contract's tokens array contains the Bean token and the reward token (3CRV) as the first two elements. The function selects the non-Bean token by checking if the first token is not the Bean token; otherwise, it selects the second token. This logic is vulnerable to unexpected changes in the Well contract's tokens array, which could lead to the following issues:
If the tokens array order is changed or additional tokens are added, the function may incorrectly identify the reward token.
If the Bean token is not present in the first two positions, the function will not correctly identify the reward token.
Impact
The current implementation of the _claimPlenty function could result in users receiving the wrong token as a reward, leading to potential loss of funds and reputational damage for the project.
Tools Used
Manual Review
Recommendations
To mitigate this issue, consider implementing a more robust method of identifying the reward token, such as explicitly specifying the reward token's address or index within the tokens array. Additionally, ensure that the Well contract has safeguards against unexpected changes to the tokens array that could affect the reward distribution logic.
Lead Judging Commences
Informational/Invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.