Submission Details
Severity:
Reentrancy vectors in ClaimRewards functions allow users to steal all the funds
Summary
Claim Rewards functions are not following the checks effects interactions pattern and have a reentrancy vectorn that can be used to drain the contract funds.
Vulnerability Details
Functions claimAllRewards and claimSingleReward delete the rewards owned storage only after the reward transfer call, which means the functions can be reentered via receive function of a malicious contract to re-call the function enough times to drain most of the funds.
function claimAllRewards() public {
uint256 totalValue = 0;
for (uint256 i = 0; i < rewardsOwned[msg.sender].length; i++) {
totalValue += rewardsOwned[msg.sender][i].value;
}
require(totalValue > 0, "No rewards to claim");
(bool success,) = payable(msg.sender).call{value: totalValue}("");
require(success, "Transfer failed");
delete rewardsOwned[msg.sender];
}
function claimSingleReward(uint256 _index) public {
require(_index <= rewardsOwned[msg.sender].length, "Invalid index");
uint256 value = rewardsOwned[msg.sender][_index].value;
require(value > 0, "No reward to claim");
(bool success,) = payable(msg.sender).call{value: value}("");
require(success, "Transfer failed");
delete rewardsOwned[msg.sender][_index];
}
Impact
All funds can get drained
Tools Used
Manual Review
Recommendations
Apply checks effects interaction pattern or OpenZeppelin´s ReentrancyGuard
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
`claimAllRewards` reentrancy
`claimSingleReward` reentrancy
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.