Unauthorized Reward Claim Vulnerability in `claimRewards` Function
Summary
The claimRewards function allows any external caller to trigger a reward claim on behalf of any user. This design flaw enables malicious actors to forcibly claim rewards for other users, potentially causing unintended consequences.
Vulnerability Details
The function currently accepts an external user address as a parameter:
Since this function can be called by any external entity, it enables a scenario where a malicious actor could trigger a claim for another user without their consent. This could be problematic if users prefer to accumulate rewards for a larger claim later, or if the claiming process interacts with other smart contracts in a way that affects user strategies.
Impact
Users may have rewards claimed at an unintended time.
This could interfere with yield strategies that depend on claim timing.
Tools Used
Manual code review
Recommendations
-
Restrict the claim function so that only the user themselves can trigger their reward claim:
function claimRewards() external override nonReentrant whenNotPaused returns (uint256) {address user = msg.sender; -
Alternatively, require explicit approval for a third party to claim rewards on behalf of a user.
-
Implement access control mechanisms to ensure only authorized addresses can trigger claims.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.