Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing check for caller permissions of `claimRewards` function

kevinkkien

Summary

In the claimRewards function, any one can call to function with input any addresss. The contract does not check that the input user address matches msg.sender . So, the function caller can input any address (example address A) and this address A will receive the reward without making a claim.

Vulnerability Details

In the claimRewards function, just check user == address(0) without checking the additional condition user != msg.sender . So, any one can call to function with input any addresss.

function claimRewards(address user) external override nonReentrant whenNotPaused returns (uint256) {
if (user == address(0)) revert InvalidAddress();
uint256 pendingReward = _calculatePendingRewards(user);
if (pendingReward == 0) revert InsufficientBalance();
// Reset user rewards before transfer
userRewards[user] = totalDistributed;
// Transfer rewards
raacToken.safeTransfer(user, pendingReward);
emit RewardClaimed(user, pendingReward);
return pendingReward;
}

Any one call can with input user = A_address, if A_address there is a reward in the contract. A_address will receive the reward without making a claim.

Impact

hacker can make claims for many addresses

Tools Used

manual

Recommendations

Add condition check user != msg.sender

if (user != msg.sender()) revert InvalidAddress();
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.