Omniscia BlazeSwap Audit
BlazeSwapFtsoReward Manual Review Findings
BlazeSwapFtsoReward Manual Review Findings
BFR-01M: Inexistent Guarantee of Epoch Distribution
Type | Severity | Location |
---|---|---|
Logical Fault | BlazeSwapFtsoReward.sol:L220 |
Description:
The claimFtsoRewards
function can be invoked for epochs that have not been properly claimed yet, causing no rewards to be claimed when there could be some owed.
Impact:
Currently, users may be misled as to the rewards they are attempting to claim in case the distribution method hasn't been invoked first properly.
Example:
contracts/core/BlazeSwapFtsoReward.sol
206function claimFtsoRewards(207 uint256[] calldata epochs,208 address to,209 bool wrapped210) external lock onlyDelegatedCall {211 BlazeSwapFtsoRewardStorage.Layout storage l = BlazeSwapFtsoRewardStorage.layout();212 IFtsoManager ftsoManager = BlazeSwapFlareLibrary.getFtsoManager();213 uint256 currentRewardEpoch = ftsoManager.getCurrentRewardEpoch();214 uint256 firstRewardEpoch = ftsoManager.getRewardEpochToExpireNext();215
216 uint256 totalRewards;217 for (uint256 i; i < epochs.length; i++) {218 uint256 epoch = epochs[i];219 if (epoch >= firstRewardEpoch && epoch < currentRewardEpoch) {220 totalRewards += claimFtsoRewards(l, msg.sender, to, epochs[i]);221 }222 }223 if (totalRewards > 0) {224 BlazeSwapRewardManager(BlazeSwapRewardLibrary.rewardManagerFor(address(this))).sendRewards(225 to,226 totalRewards,227 !wrapped228 );229 }230}
Recommendation:
We advise the claimFtsoRewards
to validate that the epoch being specified for a claim has also been properly distributed, otherwise distributing on-the-spot or informing the user via an event
.
Alleviation:
The BlazeSwap team considered this exhibit but opted not to apply a remediation for it as they have stated they will not remediate any issues of minor severity and below.