Omniscia BlazeSwap Audit

BlazeSwapFtsoReward Manual Review Findings

BlazeSwapFtsoReward Manual Review Findings

BFR-01M: Inexistent Guarantee of Epoch Distribution

Description:

The claimFtsoRewards function can be invoked for epochs that have not been properly claimed yet, causing no rewards to be claimed when there could be some owed.

Impact:

Currently, users may be misled as to the rewards they are attempting to claim in case the distribution method hasn't been invoked first properly.

Example:

contracts/core/BlazeSwapFtsoReward.sol
206function claimFtsoRewards(
207    uint256[] calldata epochs,
208    address to,
209    bool wrapped
210) external lock onlyDelegatedCall {
211    BlazeSwapFtsoRewardStorage.Layout storage l = BlazeSwapFtsoRewardStorage.layout();
212    IFtsoManager ftsoManager = BlazeSwapFlareLibrary.getFtsoManager();
213    uint256 currentRewardEpoch = ftsoManager.getCurrentRewardEpoch();
214    uint256 firstRewardEpoch = ftsoManager.getRewardEpochToExpireNext();
215

216    uint256 totalRewards;
217    for (uint256 i; i < epochs.length; i++) {
218        uint256 epoch = epochs[i];
219        if (epoch >= firstRewardEpoch && epoch < currentRewardEpoch) {
220            totalRewards += claimFtsoRewards(l, msg.sender, to, epochs[i]);
221        }
222    }
223    if (totalRewards > 0) {
224        BlazeSwapRewardManager(BlazeSwapRewardLibrary.rewardManagerFor(address(this))).sendRewards(
225            to,
226            totalRewards,
227            !wrapped
228        );
229    }
230}

Recommendation:

We advise the claimFtsoRewards to validate that the epoch being specified for a claim has also been properly distributed, otherwise distributing on-the-spot or informing the user via an event.

Alleviation:

The BlazeSwap team considered this exhibit but opted not to apply a remediation for it as they have stated they will not remediate any issues of minor severity and below.

Prev

BlazeSwapFactory.sol (BSF-M)

Next

BlazeSwapLibrary.sol (BSL-M)

On this page