Platform: Code4rena
Start Date: 07/03/2024
Pot Size: $63,000 USDC
Total HM: 20
Participants: 36
Period: 5 days
Judge: cccz
Total Solo HM: 11
Id: 349
League: BLAST
Rank: 32/36
Findings: 1
Award: $15.33
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: ether_sky
Also found by: 0x11singh99, 0xE1, 0xJaeger, Bauchibred, Bigsam, Bozho, Breeje, DarkTower, HChang26, SpicyMeatball, Trust, ZanyBonzy, albahaca, bareli, blutorque, grearlake, hals, hassan-truscova, hihen, oualidpro, pfapostol, ravikiranweb3, slvDev, zhaojie
15.328 USDC - $15.33
rewardTokens array is vulnerable to potential future failure because once tokens added they can no longer be removed.
The current version of LockingMultiRewards contract does not allow for rewardTokens to be removed. They can only be added using addReward function, however in case some of them are no valid anymore, there is not function for removing them again from the list.
Manual checking
Implement a function that allows the owner to remove delete reward tokens from the list.
Context
#0 - 0xm3rlin
2024-03-15T00:45:27Z
no factor
#1 - c4-pre-sort
2024-03-15T13:19:25Z
141345 marked the issue as sufficient quality report
#2 - 141345
2024-03-15T13:19:33Z
remove reward token lack detailed impact QA is more appropriate
#3 - Ivan-Dosev
2024-03-23T14:45:13Z
@141345 Thank you for the review. I think it should be considered because in case there is a an issue with the reward token. Let's say vulnerability that occurs later, caused by external factor. Example compiler version in Curves attack but applied for the solidity version of the reward contract or similar. The vulnerability will persist and protocol would not be able to isolate it.
#4 - c4-sponsor
2024-03-28T17:57:43Z
0xCalibur (sponsor) disputed
#5 - thereksfour
2024-03-29T10:40:38Z
Consider QA, no direct impact.
#6 - c4-judge
2024-03-29T10:41:36Z
thereksfour changed the severity to QA (Quality Assurance)