Platform: Code4rena
Start Date: 31/01/2023
Pot Size: $90,500 USDC
Total HM: 47
Participants: 169
Period: 7 days
Judge: LSDan
Total Solo HM: 9
Id: 211
League: ETH
Rank: 165/169
Findings: 1
Award: $4.61
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xdeadbeef0x
Also found by: 0Kage, 0xNazgul, 0xRobocop, Aymen0909, KIntern_NA, Kenshin, KingNFT, Krace, Kumpa, SadBase, aashar, apvlki, btk, cccz, critical-or-high, eccentricexit, fs0c, gjaldon, hansfriese, immeas, mert_eren, mgf15, mrpathfindr, orion, peanuts, rvi0x, rvierdiiev, supernova, ulqiorra, waldenyan20, y1cunhui
4.6115 USDC - $4.61
In claimRewards, the rewardAmount is cached and then a _rewardTokens[i].transfer is triggered which can lead to exploits if the _rewardTokens[i] is a token that gives control to the sender, like ERC777 tokens.
Initial state: msg.sender has some ERC777 tokens in accruedRewards[user][_rewardTokens[i]]
The msg.sender call claimRewards with his own address and ERC777 token
rewardAmount is not equal to zero and escrowInfo.escrowPercentage > 0 is false
_rewardTokens[i].transfer(user, rewardAmount); will transfer tokens to the sender and gives control to the sender
The sender can call claimRewards again with the same args in step 1, until the contract has no balance.
Update the accruedRewards[user][_rewardTokens[i]] before transfer.
#0 - c4-judge
2023-02-16T07:39:53Z
dmvt marked the issue as duplicate of #54
#1 - c4-sponsor
2023-02-18T12:11:10Z
RedVeil marked the issue as sponsor confirmed
#2 - c4-judge
2023-02-23T00:49:11Z
dmvt marked the issue as partial-50
#3 - c4-judge
2023-03-01T00:38:11Z
dmvt marked the issue as full credit
#4 - c4-judge
2023-03-01T00:38:16Z
dmvt marked the issue as satisfactory