pinalikefruit - Unclaimed Extra Rewards Stuck in Contract After setExtraRewarder Update

[sherlock-admin2]

pinalikefruit

High

Unclaimed Extra Rewards Stuck in Contract After setExtraRewarder Update

Summary

The MasterChef contract includes an extraRewarder token to incentivize users. However, if the extraRewarder address is updated, any unclaimed rewards from the previous extraRewarder cannot be claimed or retrieved, resulting in these tokens being stuck in the contract.

Vulnerability Detail

When users make a deposit or withdraw, they receive extra rewards directly. If the MasterChefV2::setExtraRewarder function updates the extraRewarder to a new address, users will start receiving rewards from the new extraRewarder. However, any unclaimed rewards from the old extraRewarder cannot be claimed because the only function to receive the claim, onModify, can only be executed when in the Linked status:

    function onModify(address account, uint256 pid, uint256 oldBalance, uint256 newBalance, uint256 oldTotalSupply)
        public
        override(BaseRewarder, IBaseRewarder)
        returns (uint256 reward)
    {
@>      if (_status != Status.Linked) revert MasterChefRewarder__NotLinked();

        reward = BaseRewarder.onModify(account, pid, oldBalance, newBalance, oldTotalSupply);

        _claim(account, reward);
    }

Additionally, the function available to the owner for handling reward tokens, sweep, does not allow for the retrieval of unclaimed rewards:

    function sweep(IERC20 token, address account) public virtual override onlyOwner {
        uint256 balance = _balanceOfThis(token);

        if (token == _token()) {
            if (_isStopped) {
@>              if (_getTotalSupply() > 0) balance -= _totalUnclaimedRewards;
            } else {
                balance -= _reserve;
            }
        }
        if (balance == 0) revert BaseRewarder__ZeroAmount();

        _safeTransferTo(token, account, balance);

        emit Swept(token, account, balance);
    }

As a result, unclaimed tokens from the old extraRewarder remain stuck in the contract indefinitely.

Impact

Unclaimed extra reward tokens are stuck in the contract forever, effectively lost to users or owner.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/7fd1a65b76d50f1bf2555c699ef06cde2b646674/magicsea-staking/src/rewarders/MasterChefRewarder.sol#L68-L78

Tool used

Manual Review

Recommendation

Add a function that allows users or the owner to withdraw unclaimed tokens when the contract is unlinked. This ensures that users can retrieve any rewards owed to them even after an extraRewarder update.

[WangSecurity]

Invalid based on the discussion under #460