Active Boosts

#46271 [SC-Medium] Rewards claiming functionality is broken.

Submitted on May 27th 2025 at 16:25:16 UTC by @farman1094 for Audit Comp | Flare | FAssets

  • Report ID: #46271

  • Report Type: Smart Contract

  • Report severity: Medium

  • Target: https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/implementation/AgentVault.sol

  • Impacts:

    • Permanent freezing of unclaimed yield

Description

Brief/Intro

There is functionality in AgentVault.sol to claim rewards but that is broken. Rewards can never be claimed.

Vulnerability Details

The two function of AgentVault:: claimDelegationRewards and AgentVault:: claimAirdropDistribution is used to claim rewards.

Both function underside call the claim function from rewards manager and distribution

// claimAirdropDistribution
 _distribution.claim(address(this), _recipient, _month, false);

// claimDelegationRewards
_rewardManager.claim(address(this), _recipient, _lastRewardEpoch, false, _proofs);

Here we sending the hard coded value false. This false value means the rewards (native eth) should be sent instead of the wNative token. Can be confirmed here. https://github.com/flare-foundation/flare-smart-contracts-v2/blob/8dc7b8c936c960aa7338e0bb903f1966c3bf57ed/contracts/userInterfaces/LTS/RewardsV2Interface.sol#L36C4-L50C48

@param _wrap Indicates if the reward should be wrapped (deposited) to the WNAT contract.

But in AgentVault.sol we have check we don't allow the native eth without internalWithdrawal .

    receive() external payable {
        require(internalWithdrawal , "internal use only");
    }

So the whole call would revert and the agent owner never we able to claim the rewards.

Impact Details

There is rewards available which could come from the FTSO (Flare Time Series Oracle) system. By delegating voting power (of wNAT or similar tokens) to signal providers in the FTSO, the vault could earns rewards.

The rewards can also come from airdrop distribution. But cannot be claimed due to the broken functionality as explained above.

So the yield generated can never be claimed. Which is directly financial loss to the agent.

Proof of Concept

Proof of Concept

  1. Initially owner delegate the collateral For FTSO or other factor.

  2. The rewards would come as a FTSO reward because of delegation or in form of airdrop form distribution.

  3. Then user will use one of the function AgentVault:: claimDelegationRewardsor AgentVault:: claimAirdropDistribution to claim the rewards.

  4. As we are sending the false value

// claimAirdropDistribution
 _distribution.claim(address(this), _recipient, _month, false);

// claimDelegationRewards
_rewardManager.claim(address(this), _recipient, _lastRewardEpoch, false, _proofs);

  1. The false means the native eth should be send back instead of reward in form of wNative token.

  2. But as there is an check in the AgentVault.sol

  • check: https://github.com/flare-foundation/fassets/blob/fc727ee70a6d36a3d8dec81892d76d01bb22e7f1/contracts/assetManager/implementation/AgentVault.sol#L54

    receive() external payable {
        require(internalWithdrawal, "internal use only");
    }

It would revert, so the rewards can never be claimed

Previous#46320 [SC-Low] Executor fee will be stuck in the contract when rejectInvalidRedemption is calledNext#46326 [SC-Medium] Incorrect Minting Cap Check in Minting Process

Was this helpful?