You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the reward.lastUpdateTimestamp is not updated correctly as well, the impact is the lastUpdateTimestamp can be stale and make the check below ineffective
Thanks for the submission. This is a valid mistake on our end, and the team was aware of this issue and the fix is in a separate branch pending to merge to master well before the audit started. However, the impact of the issue is not as severe as you claim, and our team did not roll out the fix because it was deemed to be low severity and can be rolled out in the patch.
The users will not be able to claim all their funds by calling this function, but they can still retrieve all their funds by calling the claimReward() function. There is no loss of funds. lastUpdateTimestamp could be stale, but there are no vulnerabilities exposed from the stale value. Please submit a proof of concept if you would like to disagree with this analysis.
The bug does not meet any of the requirements for a medium severity issue:
Gas griefing attacks (make users overpay for gas)
Attacks that make essential functionality of the contracts temporarily unusable or inaccessible
Github username: @ArnieGod
Submission hash (on-chain): 0x5719a34f5400575f90b590069b529599686f752ffacaa11896483ee11599d99b
Severity: medium severity
Description:
Vulnerability Report
Description
In IncentivesController.sol
the function above calls into
_batchUpdate(user, userState);
this function call will accrue rewards and update the reward timestamp. However when we call
claimAllRewards
the
_batchUpdate(user, userState)
function is not called, therefore the accrued rewards and the rewards timestamp is never updated.additionally,
the reward.lastUpdateTimestamp is not updated correctly as well, the impact is the lastUpdateTimestamp can be stale and make the check below ineffective
impact
claimAllRewards does not take the pending accured reward into consideration and the lastUpdateTimestamp can be stale.
code snippet
VMEX-0x050183b53cf62bcd6c2a932632f8156953fd146f/packages/contracts/contracts/protocol/incentives/IncentivesController.sol
Lines 203 to 220 in fb396a3
recommendation
I recommend adding
_batchUpdate(user, userState)
to theclaimAllRewards
function.The text was updated successfully, but these errors were encountered: