Fast Khaki Raccoon
Medium
When we distribute rewards with _distributeReward, we send all of the at once in a single for loop.
for (uint256 _i; _i < _allRewardsTokens.length; _i++) {
address _token = _allRewardsTokens[_i];
if (REWARDS_WHITELISTER.paused(_token)) {
continue;
}
// shares * rewardsPerShare[token] / 1e27
uint256 _amount = getUnpaid(_token, _wallet);
rewards[_token][_wallet].realized += _amount;
// shares * rewardsPerShare[token] / 1e27
rewards[_token][_wallet].excluded = _cumulativeRewards(_token, shares[_wallet], true);
if (_amount > 0) {
rewardsDistributed[_token] += _amount;
IERC20(_token).safeTransfer(_wallet, _amount);
emit DistributeReward(_wallet, _token, _amount);
}
}This is very dangerous as if one token revers the whole TX would revert, costing the user their whole rewards, even though only one token is faulty. This can most commonly happen if or when users get blacklisted for specific tokens.
Claiming all rewards in one TX.
for (uint256 _i; _i < _allRewardsTokens.length; _i++) {
address _token = _allRewardsTokens[_i];
if (REWARDS_WHITELISTER.paused(_token)) {
continue;
}
// shares * rewardsPerShare[token] / 1e27
uint256 _amount = getUnpaid(_token, _wallet);
rewards[_token][_wallet].realized += _amount;
// shares * rewardsPerShare[token] / 1e27
rewards[_token][_wallet].excluded = _cumulativeRewards(_token, shares[_wallet], true);
if (_amount > 0) {
rewardsDistributed[_token] += _amount;
IERC20(_token).safeTransfer(_wallet, _amount);
emit DistributeReward(_wallet, _token, _amount);
}
}No response
No response
- Rewards are 10% USDT and 90% WETH
- User gets blacklisted for USDT
- He can't claim his rewards, even thought 90% of them are in a token he is not blacklisted for
- All of these assets would remain stuck inside the contract
Pausing the reward token would not be sufficient given the fact that it would pause it for al users (not only this one).
Users can't claim their rewards. Loss of funds.
No response
Don't send rewards all at once, rather have the user chose for which tokens to claim.