# 31594 - \[SC - Insight] RewardPoolManager can only add RewardPoolToken ...

Submitted on May 21st 2024 at 15:49:14 UTC by @hulkvision for [Boost | Alchemix](https://immunefi.com/bounty/alchemix-boost/)

Report ID: #31594

Report type: Smart Contract

Report severity: Insight

Target: <https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/RewardPoolManager.sol>

Impacts:

* Contract fails to deliver promised returns, but doesn't lose value

## Description

## Brief/Intro

I have mentioned two issues that would be nice to fix in this report.

1. RewardPoolManager can only add RewardPoolToken and has a limit of maximum limit of 10 reward tokens and does not have way to remove it.
2. In `VotingEscrow.sol` `setClaimFee` does not have any upper limit check on fee amount set by the admin.

## Vulnerability Details #1

RewardPoolManager can only add RewardPoolToken and has a limit of maximum limit of 10 reward tokens and does not have way to remove it, so if a reward token becomes insolvent or its value decreased to zero, the contract will have no way to remove these tokens.

In `RewardPoolManager.sol`

```
function _addRewardPoolToken(address token) internal { //@audit-ok
        if (!isRewardPoolToken[token] && token != address(0)) {
            require(rewardPoolTokens.length < MAX_REWARD_POOL_TOKENS, "too many reward pool tokens");

            isRewardPoolToken[token] = true;
            rewardPoolTokens.push(token);
        }
    }
```

## Impact Details #1

* Contract will not be to remove tokens that have become malicious or their value has decreased to zero.

## Vulnerability Detail #2

In `VotingEscrow.sol`

```
function setClaimFee(uint256 _claimFeeBps) external { //@audit no upper limit check present
        require(msg.sender == admin, "not admin");
        claimFeeBps = _claimFeeBps;
        emit ClaimFeeUpdated(_claimFeeBps);
    }
```

`setClaimFee` function is used by admin to set the claim fee for claiming ALCX rewards early, it is used by `RewardsDistributor.sol` contract to claim fees. This function does not have a upper limit check present on how much fee can be claimed.

## Impact Details #2

* Allowing arbitrary fee without upper limit could reduce user trust in the protocol.

## Proof of Concept

Add this test to `src/test/VotingEscrow.t.sol` and run test with `forge test --mt testPocArbitraryClaimFees --rpc-url $RPC_URL`

```
function testPocArbitraryClaimFees() public {
    veALCX.setClaimFee(1000000000);
        assertEq(veALCX.claimFeeBps(), 1000000000, "incorrect claim fee");
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reports.immunefi.com/alchemix/31594-sc-insight-rewardpoolmanager-can-only-add-rewardpooltoken-....md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.