The claimRewards()
function in FeeCollector incorrectly updates a user’s claimed rewards to totalDistributed
instead of incrementing by pendingReward
. This results in incorrect reward tracking, leading to improper distributions and denail of legitimate reward claims by users.
The vulnerability is present in the following code snippet from claimRewards()
:
Instead of incrementing userRewards[user]
by the amount being claimed (pendingReward
), the function incorrectly sets it to totalDistributed
. This results in subsequent user claims being denied due to:
This check will then default to 0 even though the user has a legitimate share, eg:
Let's assume the following initial conditions:
totalDistributed = 1000
(Total rewards distributed so far)
userVotingPower = 10
totalVotingPower = 100
userRewards[user] = 0
(User has not claimed any rewards yet)
Pending Reward Calculation
share = (1000 * 10) / 100 = 100
pendingReward = share - userRewards[user] = 100 - 0 = 100
Incorrect Update of userRewards[user]
userRewards[user]
should have been userRewards[user] += pendingReward
, meaning it should be 100
, but instead, it is set to 1000
.
Suppose totalDistributed
increases to 1500
due to additional rewards being distributed.
Pending Reward Calculation (Second Claim)
Since userRewards[user] = 1000
, which is greater than the new share (150)
, the calculation results in 0
, effectively denying the user any further claims.
Incorrect Reward Accounting – Users may receive incorrect reward amounts due to the improper update of userRewards[user]
.
Denial of legitimate user claims.
Manual Code Review
Correct Reward Calculation – Update the claim logic to properly increment the claimed rewards:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.