Submission Details
Severity:
Protocol lacks tracking of last time user claimed rewards
Vulnerability Details
FeeCollector wants to track last time user claim his rewards. The current contract has a mapping an internal function to do so:
/**
* @notice User claim tracking
* @dev Maps user addresses to their last claim timestamp
*/
mapping(address => uint256) private lastClaimTime;
...
function _updateLastClaimTime(address user) internal {
lastClaimTime[user] = block.timestamp;
}
Problem is the function is not used and there is no public function to provide access to lastClaimTime.
Impact
Protocol cannot track the user last claim.
Tools Used
Manual Review
Recommendations
Call _updateLastClaimTimeinside the claimRewardsfunction and make the lastClaimTimepublic:
- mapping(address => uint256) private lastClaimTime;
+ mapping(address => uint256) public lastClaimTime;
...
function claimRewards(address user) external override nonReentrant whenNotPaused returns (uint256) {
...
// Reset user rewards before transfer
userRewards[user] = totalDistributed;
+ _updateLastClaimTime(user);
...
}
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
_updateLastClaimTime not properly used to track rewards claim time
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.