Platform: Code4rena
Start Date: 03/05/2023
Pot Size: $60,500 USDC
Total HM: 25
Participants: 114
Period: 8 days
Judge: Picodes
Total Solo HM: 6
Id: 234
League: ETH
Rank: 15/114
Findings: 1
Award: $845.55
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Jorgect
Also found by: ABAIKUNANBAEV, shealtielanz
845.5499 USDC - $845.55
Medium
moveStakedLiquidity() function.The RewardsManager.moveStakedLiquidity() function does not check if rewards has already been claimed.
The moveStakedLiquidity function after running some checks and initializing some variables, calls the _claimRewards function but does not check if rewards has already been claimed.
function moveStakedLiquidity( uint256 tokenId_, uint256[] memory fromBuckets_, uint256[] memory toBuckets_, uint256 expiry_ ) external nonReentrant override { StakeInfo storage stakeInfo = stakes[tokenId_]; if (msg.sender != stakeInfo.owner) revert NotOwnerOfDeposit(); // check move array sizes match to be able to match on index uint256 fromBucketLength = fromBuckets_.length; if (fromBucketLength != toBuckets_.length) revert MoveStakedLiquidityInvalid();
An Attacker may use this to their advantage by calling the moveStakedLiquidity() function multiple times thereby collecting rewards each time.
Rewards may be claimed multiple times by a lender through moving liquidity.
Manual Review
The check done in the claimRewards function to stop this kind of vulnerability, should be implemented in the moveStakedLiquidity function.
if (isEpochClaimed[tokenId_][epochToClaim_]) revert AlreadyClaimed();
Invalid Validation
#0 - c4-judge
2023-05-18T16:13:24Z
Picodes marked the issue as primary issue
#1 - c4-sponsor
2023-05-19T19:23:27Z
MikeHathaway marked the issue as sponsor confirmed
#2 - c4-judge
2023-05-30T22:02:57Z
Picodes marked issue #132 as primary and marked this issue as a duplicate of 132
#3 - c4-judge
2023-05-31T14:06:41Z
Picodes marked the issue as satisfactory
#4 - c4-judge
2023-05-31T14:06:50Z
Picodes changed the severity to 3 (High Risk)