Assessment reports>H20 vlPSDN>Low findings>The ,_getAccount, function may return inaccurate information
Category: Coding Mistakes

The _getAccount function may return inaccurate information

Low Severity
Informational Impact
Medium Likelihood

Description

The function returns the following information:

  • balance, the amount of tokens deposited by the user

    • lockEpochs, the number of epochs for which the tokens are locked

    • lastEpochPaid, the last epoch for which the user has received rewards

    • rewards, an array of the rewards for each token

The function retrieves the first three values from the accounts mapping, while the last value is calculated in a for loop.

The loop iterates over the rewardTokens array, which contains the current list of reward tokens. However, since the accounts[owner].rewards mapping contains rewards for all tokens that the user has ever accrued and not claimed, if the user has accrued rewards for a token that is not in the current rewardTokens list, the function will not include it, resulting in an incomplete rewards list.

function _getAccount(address owner)
    internal
    view
    returns (uint256 balance, uint256 lockEpochs, uint256 lastEpochPaid, uint256[] memory rewards)
{
    rewards = new uint256[](rewardTokens.length);
    for (uint256 i = 0; i < rewardTokens.length;) {
        rewards[i] = accounts[owner].rewards[rewardTokens[i]];

        unchecked {
            ++i;
        }
    }

    return (accounts[owner].balance, accounts[owner].lockEpochs, accounts[owner].lastEpochPaid, rewards);
}

Impact

There are no security risks associated with this bug, but it could potentially cause confusion for users: the function may not accurately reflect the rewards that the user has accrued for tokens that are not currently in the reward tokens list.

Recommendations

We recommend modifying the for loop to iterate over the accounts[owner].rewardTokens array as shown below:

for (uint256 i = 0; i < accounts[owner].rewardTokens.length;) {
    address addr = accounts[owner].rewardTokens[i];
    uint256 reward = accounts[owner].rewards[addr];
    rewards[i] = reward;
    unchecked {
        ++i;
    }
}

Remediation

The issue has been fixed by H20 in commit 81f252c5.

Zellic © 2023Back to top ↑