# #42407 \[SC-Low] Updating MAX\_CAP\_PER\_WALLET\_PER\_EPOCH\_FACTOR impacts unclaimed rewards of past epochs **Submitted on Mar 23rd 2025 at 17:54:49 UTC by @Oxrochimaru for** [**Audit Comp | Yeet**](https://immunefi.com/audit-competition/audit-comp-yeet) * **Report ID:** #42407 * **Report Type:** Smart Contract * **Report severity:** Low * **Target:** * **Impacts:** * Contract fails to deliver promised returns, but doesn't lose value ## Description ## Brief/Intro Variable `RewardSettings::MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR` is updatable by admin. It is the max rewards a single wallet can receive per epoch. The users can claim their rewards of past epochs any time in future. But if `MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR` is updated, this new value will be applied to past epoch rewards. Hence, creating uncertainty in amount of rewards user will get for an epoch. ## Vulnerability Details A user can claim their past rewards anytime they want. Their past rewards is calculated as `getClaimableAmount()`. Here, `MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR` is not stored per epoch. Instead, its a single value used for every epoch. If it is updated then user's past rewards might change too. He might get less or more tokens depending upon new `MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR`. The user's rewards should remain fixed for past epochs, no matter when they decide to claim their rewards. ## Impact Details If a user claims the rewards in future, it might get less or more rewards than initially calculated. ## References Add any relevant links to documentation or code\ ## Proof of Concept ## Proof of Concept * Total rewards to be distributed is 100. * Max rewards per user is 30%. * Alice is eligible for 25 rewards. * The protocol decided to change max rewards to 20%. * Now, if Alice claims in future, she is eligible for only 20 rewards now instead of 25 * Even though this epoch has ended, Alice rewards are still tied to current max rewards value in the contract. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/yeet/42407-sc-low-updating-max_cap_per_wallet_per_epoch_factor-impacts-unclaimed-rewards-of-past-epochs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.