Unclaimed Rewards Issue in updatePeriod Function
Unclaimed Rewards Issue in updatePeriod Function
Summary
The updatePeriod function resets the period state and starts a new voting period without considering users who have not yet claimed their rewards from the previous period. This could result in lost or inaccessible rewards for users who did not claim them in time.
Vulnerability Details
The function updatePeriod() updates the period and recalculates new weights based on the previous period’s average weight. However, before resetting the period state, it does not account for users who have not yet claimed their rewards from the ending period. This can cause a scenario where unclaimed rewards are effectively erased or made inaccessible once the state is reset.
Key Issues:
The function resets
periodState.distributedto0, which may remove tracking of rewards yet to be claimed.The function sets a new period start time without ensuring that pending rewards from the previous period are handled appropriately.
If the unclaimed rewards are not stored separately, users who fail to claim their rewards in time may permanently lose them.
Impact
Users who do not claim their rewards before updatePeriod() is called will likely lose their entitlements.
Tools Used
Manual code review
Recommendations
Implement a Claim Grace Period: Before resetting the period state, ensure that users have a grace period to claim pending rewards.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.