Platform: Code4rena
Start Date: 09/12/2021
Pot Size: $25,000 USDC
Total HM: 12
Participants: 25
Period: 4 days
Judge: LSDan
Total Solo HM: 4
Id: 64
League: ETH
Rank: 19/25
Findings: 2
Award: $280.70
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: gpersoon
Also found by: 0xabcc, csanuragjain, harleythedog, kenzo, leastwood
0xabc
in function claimRewards, there is no checking on value in _epochIds. Exploiter can claim more than the promotion award by calling the function with outrange epochs.
Consider a promotion with promitionid X and numberOfEpochs =Y. Exploiter hold any number of ticket to be eligible to claim rewards. Then exploiter call claimRewards(exploiter_address, X, Z) when block.timestamp > _promotion.startTimestamp + _epochDuration * (Z+1) and Y < Z <255 Given there is no checking in _epochId, I can draw the excess award by calling the above function 255 - Y times.
For extreme case, exploiter creates a promotion himself with numberOfEpochs =1 and epochDuration=1. Exploiter joins this promotion and he call claimRewards(exploiter_address, promotionId, Z) every second after the promotion end. (i.e. Z range from 1 to 255) He can draw 255 x tokensPerEpoch in token from the pool.
Add the following to check the value of _epochId in L174 of TwabRewards.sol require( _epochId <_promotion.numberOfEpochs, "TwabRewards/epochid-overflow" );
#0 - PierrickGT
2021-12-13T17:11:32Z
🌟 Selected for report: gpersoon
Also found by: 0xabcc, WatchPug, cmichel, danb, gzeon, pauliax, pmerkleplant, sirhashalot
0xabc
L255 Given block.timestamp always >0, if _promotionEndTimestamp >= block.timestamp then _promotionEndTimestamp >0 is a must. We can simplify L255 to "_promotionEndTimestamp >= block.timestamp,"
#0 - PierrickGT
2021-12-13T16:30:45Z