Incorrect Reward Accounting in claimRewards Leads to Excessive Claims
Summary
The claimRewards function of the FeeCollector contract contains a logic error that allows users to claim more rewards than they are entitled to.
Vulnerability Details
The vulnerability is located in this line within the claimRewards function:
The userRewards[user] variable, which is intended to track the cumulative rewards claimed by a user, is incorrectly updated. Instead of adding the claimed reward amount to userRewards[user], the code sets userRewards[user] to the value of totalDistributed. This leads to an inflated value for userRewards[user], which is then used in subsequent reward calculations, allowing the user to claim excessive rewards.
Impact
Fund Drainage: A malicious user can repeatedly call claimRewards after each distributeCollectedFees call, draining the FeeCollector's reward pool.
Unfair Distribution: Honest users will receive significantly fewer rewards than they are entitled to, as the attacker siphons off a disproportionate share.
Loss of Trust: The vulnerability undermines the integrity of the reward distribution system.
Tools Used
Manual Review
Recommendations
Replace the incorrect assignment with the correct addition operation.
Lead Judging Commences
FeeCollector::claimRewards sets `userRewards[user]` to `totalDistributed` seriously grieving users from rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.