Submission Details
Severity:
Protocol lacks tracking of last time user claimed rewards
Author Revealed upon completion
Vulnerability Details
FeeCollector wants to track last time user claim his rewards. The current contract has a mapping an internal function to do so:
/**
* @notice User claim tracking
* @dev Maps user addresses to their last claim timestamp
*/
mapping(address => uint256) private lastClaimTime;
...
function _updateLastClaimTime(address user) internal {
lastClaimTime[user] = block.timestamp;
}
Problem is the function is not used and there is no public function to provide access to lastClaimTime.
Impact
Protocol cannot track the user last claim.
Tools Used
Manual Review
Recommendations
Call _updateLastClaimTimeinside the claimRewardsfunction and make the lastClaimTimepublic:
- mapping(address => uint256) private lastClaimTime;
+ mapping(address => uint256) public lastClaimTime;
...
function claimRewards(address user) external override nonReentrant whenNotPaused returns (uint256) {
...
// Reset user rewards before transfer
userRewards[user] = totalDistributed;
+ _updateLastClaimTime(user);
...
}
Updates
Lead Judging Commences
inallhonesty 10 days ago
Submission Judgement Published Assigned finding tags:
_updateLastClaimTime not properly used to track rewards claim time
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
View preliminary resultsAppeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.