Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Extensible Vaults>Low findings>The ,claimLendingEmissions, function lacks proper batch-claim support
GeneralOverview
Findings
Medium (1)
Low (1)The claimLendingEmissions function lacks proper batch-claim support
DiscussionPrivileged role operationUpdated business logic in the isValidSignature function now restricts calls to off-chain only
Patch ReviewPatch ReviewChanges in contract structureIntroduction of new contracts
Category: Coding Mistakes

The claimLendingEmissions function lacks proper batch-claim support

Low Impact
Low Severity
Low Likelihood

Description

The claimLendingEmissions function in ListaEarnStrategyManager contains a design flaw where it creates a single-element accounts array but accepts multiple tokens, amounts, and proofs arrays. The function hardcodes accounts[0] = address(this), creating an array with only one account, while the batchClaim function expects the arrays to be properly aligned for batch operations across multiple accounts.

function claimLendingEmissions(
    address receiver,
    address[] memory tokens,
    uint256[] memory amounts,
    bytes32[][] memory proofs
) external onlyRole(EMISSION_MANAGER_ROLE) nonReentrant {
    address[] memory accounts = new address[](1);
    accounts[0] = address(this); // Only one account
    
    rewardDistributor.batchClaim(accounts, tokens, amounts, proofs); // Zellic Note: Expects the arrays to be properly aligned across multiple accounts
   
   [...]
}

Impact

The function will revert when called with multiple tokens. Users with EMISSION_MANAGER_ROLE who attempt to claim multiple token types in a single call will be unable to do so.

Recommendations

Modify the claimLendingEmissions function to support multiple accounts, aligning with the batchClaim function's behavior.

Remediation

This issue has been acknowledged by Mitosis, and a fix was implemented in commit 8a182d69.

Zellic © 2025Back to top ↑