Omniscia BlazeSwap Audit

BlazeSwapFtsoReward Manual Review Findings

BlazeSwapFtsoReward Manual Review Findings

BFR-01M: Inexistent Guarantee of Epoch Distribution

Description:

The claimFtsoRewards function can be invoked for epochs that have not been properly claimed yet, causing no rewards to be claimed when there could be some owed.

Impact:

Currently, users may be misled as to the rewards they are attempting to claim in case the distribution method hasn't been invoked first properly.

Example:

contracts/core/BlazeSwapFtsoReward.sol
206function claimFtsoRewards(
207 uint256[] calldata epochs,
208 address to,
209 bool wrapped
210) external lock onlyDelegatedCall {
211 BlazeSwapFtsoRewardStorage.Layout storage l = BlazeSwapFtsoRewardStorage.layout();
212 IFtsoManager ftsoManager = BlazeSwapFlareLibrary.getFtsoManager();
213 uint256 currentRewardEpoch = ftsoManager.getCurrentRewardEpoch();
214 uint256 firstRewardEpoch = ftsoManager.getRewardEpochToExpireNext();
215
216 uint256 totalRewards;
217 for (uint256 i; i < epochs.length; i++) {
218 uint256 epoch = epochs[i];
219 if (epoch >= firstRewardEpoch && epoch < currentRewardEpoch) {
220 totalRewards += claimFtsoRewards(l, msg.sender, to, epochs[i]);
221 }
222 }
223 if (totalRewards > 0) {
224 BlazeSwapRewardManager(BlazeSwapRewardLibrary.rewardManagerFor(address(this))).sendRewards(
225 to,
226 totalRewards,
227 !wrapped
228 );
229 }
230}

Recommendation:

We advise the claimFtsoRewards to validate that the epoch being specified for a claim has also been properly distributed, otherwise distributing on-the-spot or informing the user via an event.

Alleviation:

The BlazeSwap team considered this exhibit but opted not to apply a remediation for it as they have stated they will not remediate any issues of minor severity and below.