Wrong Withdrawal of Balance instead of rewards
Summary
At OperatorVault.sol::withdrawRewards if the rewards is == 0 this goes on to the subtraction will result in a negative value. This can trigger an unintended reversion or causing the withdrawRewards function to withdraw wrong values even if there are funds (balance) to be withdrawn.
Vulnerability Details
This leads to withdrawal of protocol funds in the contract tampering with the balance
Impact
If rewards == 0, the following line:
unclaimedRewards -= SafeCast.toUint128(amountWithdrawn);
may incorrectly update the unclaimedRewards value because amountWithdrawn could be 0, causing unclaimedRewards to remain unchanged even though rewards have technically been withdrawn (or attempted to be).Even when rewards are zero, the function still checks and attempts to transfer any remaining balance to the rewardsReceiver:
Recommendations
-
CHECK FOR ZERO
function withdrawRewards() external onlyRewardsReceiver {
uint256 rewards = getUnclaimedRewards();
if (rewards == 0) {
revert("No rewards to withdraw");
}
// Continue with the rest of the logic
} -
Fix Subtraction Logic
You should ensure that rewards - balance does not underflow. If balance is greater than rewards, either return early or adjust the calculation to avoid negative numbers:
uint256 amountToWithdraw = rewards > balance ? rewards - balance : 0;
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.