Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

web3pwn - Users might not be able to claim bribe rewards #110

Closed
sherlock-admin4 opened this issue Jul 15, 2024 · 1 comment
Closed

web3pwn - Users might not be able to claim bribe rewards #110

sherlock-admin4 opened this issue Jul 15, 2024 · 1 comment
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Jul 15, 2024
edited
Loading

web3pwn

Medium

Users might not be able to claim bribe rewards

Summary

The claim function of the BribeRewarder contract can lead to denial of service if users delay claiming rewards for many periods or if there's a large gap between _startVotingPeriod and endPeriod. The function's loop through each period, including those without rewards, can cause out-of-gas errors

Vulnerability Detail

The claim function of the BribeRewarder contract allows users to claim bribe rewards for voting. The function loops from _startVotingPeriod until the last finished period. This can cause issues if a user does not claim rewards for multiple periods after bribing finishes or if the difference between _startVotingPeriod and endPeriod is large enough to lead to a denial of service condition, as the _modify function must be executed for periods where there is no reward.

Issue Scenario 1:

  1. The BribeRewarder has start and end periods set to 1-10 (10 periods).
  2. The user votes and accumulates rewards.
  3. The user does not claim rewards for multiple periods after bribing finishes.
  4. The last finished period is 30.
  5. The user tries to claim rewards but is unable to due to an out-of-gas error, as the loop in the claim function iterates from 1 to the last finished period (30), executing the _modify logic for all of them.

Issue Scenario 2:

  1. The BribeRewarder has start and end periods set to 1-30 (30 periods).
  2. The user votes and accumulates rewards.
  3. The user does not claim rewards until bribing finishes.
  4. The last finished period is 30.
  5. The user tries to claim rewards but is unable to due to an out-of-gas error, as the loop needs to iterate over 30 periods, executing the _modify logic for each.

Impact

User might be unable to claim accumulated bribe rewards.

Code Snippet

Tool used

Manual Review

Recommendation

It is recommended to add pagination to the claim function to allow users to claim partial rewards. In addition, the loop should be capped at the _lastVotingPeriod.
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jul 21, 2024
@0xSmartContract 0xSmartContract added High A High severity issue. Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior High A High severity issue. Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 27, 2024
@0xSmartContract
Copy link
Collaborator

Considering the criteria and analysis, this issue should be considered invalid because it is primarily related to gas optimization and is not considered a valid medium/high severity issue by the rules. The design does not result in loss of funds or impair core functionality.

P.s: IOTA EVM's block gas limit is one billion for each block.

@sherlock-admin4 sherlock-admin4 changed the title Blunt Carmine Camel - Users might not be able to claim bribe rewards web3pwn - Users might not be able to claim bribe rewards Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Non-Reward This issue will not receive a payout label Jul 29, 2024
@chinmay-farkya chinmay-farkya mentioned this issue Jul 31, 2024
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0xSmartContract @sherlock-admin4