[WP-H2] money-market-contracts/contracts/market
claim_rewards
may revert due to spend_limit
set on distributor
#46
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
Lines of code
https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/money-market-contracts/contracts/market/src/borrow.rs#L216-L234
Vulnerability details
While
claim_rewards
from themoney-market
, it calls thedistributor_contract#spend()
to send the rewards.https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/money-market-contracts/contracts/market/src/borrow.rs#L216-L234
However, the
distributor_contract#spend()
function have aspend_limit
config and it will revert if the amount is larger than thespend_limit
.https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-token-contracts/contracts/distributor/src/contract.rs#L153-L155
As a result, users won't be able to claim their rewards anymore once the amount of the rewards excess the spend_limit config on
distributor_contract
.Recommendation
Consider removing the
spend_limit
or allowing users to specify an amount whenclaim_rewards
.The text was updated successfully, but these errors were encountered: