Omniscia Echidna Finance Audit
RewardPool Manual Review Findings
RewardPool Manual Review Findings
RPL-01M: Improper Unstaking Reward Tracking
Type | Severity | Location |
---|---|---|
Logical Fault | Major | RewardPool.sol:L208 |
Description:
The unStake
function improperly updates the rewards for the msg.sender
rather than the _for
address, causing it to be out of sync.
Example:
contracts/rewards/RewardPool.sol
204function unStake(205 address _for,206 uint256 amount,207 bool claim208) public override updateReward(msg.sender) returns (bool) {
Recommendation:
We strongly recommend the _for
argument to be passed in to the updateReward
call instead as otherwise the staking reward system is compromised.
Alleviation:
The correct argument is now passed in to the updateReward
modifier.