The claimRewards()
function in FeeCollector
contract allows users to claim their rewards multiple times within the same distribution period because there's no check to prevent claiming before the next distribution occurs.
The issue exists in the claimRewards()
function which calculates rewards based on totalDistributed
but doesn't track or verify if a user has already claimed rewards for the current distribution period:
The issue is that totalDistributed
only updates in _processDistributions()
which is called by distributeCollectedFees()
. Between distributions, a user can call claimRewards()
multiple times because:
_calculatePendingRewards()
will return the same amount each time since totalDistributed
hasn't changed
Although userRewards[user]
is updated to totalDistributed
, without a new distribution this doesn't prevent further claims
There's no tracking of when users last claimed or which distribution period they claimed from
allows malicious users to drain the contract's balance by claiming the same rewards multiple times before the next distribution occurs.
Manual Review
Add distribution period tracking and prevent multiple claims within the same period.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.