Platform: Code4rena
Start Date: 03/05/2023
Pot Size: $60,500 USDC
Total HM: 25
Participants: 114
Period: 8 days
Judge: Picodes
Total Solo HM: 6
Id: 234
League: ETH
Rank: 110/114
Findings: 1
Award: $15.58
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: aviggiano
Also found by: 0xSmartContract, 0xTheC0der, 0xcm, ABAIKUNANBAEV, Audinarey, Audit_Avengers, BGSecurity, Bauchibred, Dug, Evo, Haipls, Jerry0x, TS, bytes032, devscrooge, kenta, ladboy233, mrvincere, patitonar, sakshamguruji, tsvetanovv
15.5756 USDC - $15.58
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L597 https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L815
Staker will earn less than expected
On _claimRewards function at https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L597 transferAjnaRewards is being called to claim rewardsEarned for staker according to the tokenId,
the issue here drop at
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L815
if (rewardsEarned_ > ajnaBalance) rewardsEarned_ = ajnaBalance;
when _transferAjnaRewards function is transferring the rewardsEarned_ value if the rewardsEarned_ greater than contract's ERC20 balance then it will update rewardsEarned_ to equal the balance ignoring the remaining rewards anyway. which is unfairness and mess with the staker rewards with no reason for missing his rewards value. this would give unclear results for stakers when they claim their rewards after staking for a period of time.
Manual Review
Track the rewardsEarned_ by hash map and keep what left in the rewardsEarned_ to transfer later when the contract has balance again.
Token-Transfer
#0 - c4-judge
2023-05-12T10:34:01Z
Picodes marked the issue as duplicate of #361
#1 - c4-judge
2023-05-29T20:55:43Z
Picodes changed the severity to 3 (High Risk)
#2 - c4-judge
2023-05-29T20:56:28Z
Picodes marked the issue as satisfactory