Reward Transfer Fails When Accumulated Reward Exceeds Contract Balance
Summary
In the getReward function of the BaseGauge contract, the contract reverts the transaction if the accumulated reward for a user exceeds the current reward token balance held by the contract. Instead of reverting, the function should transfer the available balance to the user, ensuring they receive a partial reward rather than nothing.
Vulnerability Details
Within the reward claim logic, the following snippet handles the case where the reward amount is greater than the contract’s balance:
• Current Behavior:
The function reverts when the reward exceeds the balance, leaving the user with no reward even if partial funds are available.
• Expected Behavior:
The function should transfer the available balance to the user when the accumulated reward exceeds the contract’s balance, ensuring that users receive whatever funds are available rather than receiving nothing.
Impact
• User Dissatisfaction: Users may be unable to claim their earned rewards if the contract’s balance is temporarily low, even though partial rewards are available.
• Minor Accounting Discrepancies: This behavior can lead to situations where reward distributions are inconsistent, potentially affecting user trust.
• Low Severity: While this issue does not pose a significant security risk, it can negatively impact user experience and perceived reliability of the reward distribution mechanism.
Tools Used
Manual
Recommendations
• Implement Partial Transfer Logic:
Update the reward claim logic to check if reward > balance. If true, instead of reverting, transfer the available balance to the user:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.