Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Smart Vault>Low findings>User rewards can be lost
GeneralOverview
Findings
Medium (1)
Low (4)Missing reward-configuration checkDeposit-cap bypassUser rewards can be lostIncorrect tracking of staking amount
Informational (3)
DiscussionReentrancy guard modifier
Threat ModelWhat are threat models?RewardVault.solSmartVault.solSmartVaultManager.sol
Audit ResultsAssessment Results
Category: Code Maturity

User rewards can be lost

Low Impact
Low Severity
Low Likelihood

Description

The updateRewardTokenList function removes all existing reward tokens and adds new ones. The claim function iterates over the _rewardTokenList to get the reward amount for each token, so if a reward token is removed during the reward period, users' rewards will be lost.

function updateRewardTokenList(IERC20[] memory rewardTokenList) external onlyManager {
    _updateAllLastRewardPerToken();
    delete _rewardTokenList;
    for (uint256 i; i < rewardTokenList.length; i++) {
        IERC20 rewardToken = rewardTokenList[i];
        _checkIsNotZeroAddress(address(rewardToken));
        _rewardTokenList.push(rewardToken);
    }

    emit RewardTokenListUpdated(rewardTokenList);
}

Impact

If a reward token is removed during the reward period, users' rewards will be lost.

Recommendations

Add a check to ensure that a reward token is not removed during the reward period.

Remediation

This issue has been acknowledged by River, and a fix was implemented in commit c6177f62.

Zellic © 2025Back to top ↑