Incorrect Reward Checkpoint Prevents Future Reward Claims Due to Arithmetic Comparison
Summary:
The FeeCollector contract's 'claimRewards' contains a critical flaw in its checkpoint logic. By setting userRewards[user] = totalDistributed, the contract prevents users from claiming future rewards because the calculated share will always be less than their checkpoint value.
Vulnerability Details:
In the claimRewards function:
The issue arises because of the reward calculation in _calculatePendingRewards:
Mathematical proof of the issue:
After first claim:
userRewards[user] = totalDistributedFor any subsequent claim:
share = (totalDistributed * userVotingPower) / totalVotingPowerSince
userVotingPower < totalVotingPower, thenshare < totalDistributedTherefore
share < userRewards[user]alwaysResult: returns 0, making rewards unclaimable
Impact:
Users can only claim rewards once
All subsequent reward distributions become unclaimable
Breaks the entire reward distribution mechanism
Loss of funds for users who should receive rewards
Tools Used:
Manual code review
Recommendations:
Track claimed amount instead of total distributed.
Alternative: Use distribution index tracking or use a cumulative rewards per share approach.
Lead Judging Commences
FeeCollector::claimRewards sets `userRewards[user]` to `totalDistributed` seriously grieving users from rewards
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.