No Time Based Rewards Claim
Summary
Without a time-based mechanism, users could repeatedly claim profits or rewards without having earned them in a fair, time-based manner.This could potentially lead to abuse, as they could keep claiming rewards faster than they accumulate them.
Vulnerability Details
an attacker can transfer tokens back and forth between different addresses, with fast transfers to artificially increase their rewards. the contract doesn’t account for the exact holding periods or transfer times, hence they might continuously claim rewards for the same set of tokens.
2.An attacker can transfer tokens between wallets, and since the contract does not have a design to reset a "time of claim" upon transfer, the user could keep claiming rewards from different wallets without waiting for a reset or cooldown.
Impact
rewards pool can be drained
Tools Used
manual view
Recommendations
Track Token Movement and Last Claim Time
Use a timelock based mechanism e.g from openzeppelin
set limits on how much can be withdrawn in a given time frame
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.