TreasuryBTC::claimRewards can be manipulated due to balanceOf()
Reward claims use live NXL balances at claim time rather than snapshot balances, allowing the same NXL tokens to be transferred between addresses and used to claim the same rewards multiple times.
Description
Reward claim in TreasuryBTC::claimRewards and TreasuryBTC::claimMultipleRewards is calculated using live balances at claim time instead of using the NXL token balance at the snapshot creation time. The same NXL tokens can be transferred across different addresses and used to claim rewards multiple times for the same snapshot, draining protocol funds.
Vulnerable Scenario:
The following steps help understand the issue:
- Address A with NXL token balance calls
TreasuryBTC::claimRewardsand successfully claims tokens. - Address A sends his NXL balance to another address B. Address B calls
TreasuryBTC::claimRewards. This will also work because the function uses live balances of an address. - An attacker can repeat this multiple times to drain contract stablecoin balance.
Impact
Drain of protocol funds.
Recommendation
Make use of user NXL token balance at the snapshot creation time using ERC20Snapshot:
balanceOfAt(user, snapshotId)totalSupplyAt(snapshotId)
Resolution
Nexalo: Claim rewards system removed.
Zealynx: We recommend to follow recommendation instead of removing chore feature.
