#42407 [SC-Low] Updating MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR impacts unclaimed rewards of past epochs
Submitted on Mar 23rd 2025 at 17:54:49 UTC by @Oxrochimaru for Audit Comp | Yeet
Report ID: #42407
Report Type: Smart Contract
Report severity: Low
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Reward.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
Description
Brief/Intro
Variable RewardSettings::MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR is updatable by admin. It is the max rewards a single wallet can receive per epoch.
The users can claim their rewards of past epochs any time in future. But if MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR is updated, this new value will be applied to past epoch rewards. Hence, creating uncertainty in amount of rewards user will get for an epoch.
Vulnerability Details
A user can claim their past rewards anytime they want. Their past rewards is calculated as getClaimableAmount(). Here, MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR is not stored per epoch. Instead, its a single value used for every epoch. If it is updated then user's past rewards might change too. He might get less or more tokens depending upon new MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR.
The user's rewards should remain fixed for past epochs, no matter when they decide to claim their rewards.
Impact Details
If a user claims the rewards in future, it might get less or more rewards than initially calculated.
References
Add any relevant links to documentation or code https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Reward.sol?utm_source=immunefi#L187
Proof of Concept
Proof of Concept
Total rewards to be distributed is 100.
Max rewards per user is 30%.
Alice is eligible for 25 rewards.
The protocol decided to change max rewards to 20%.
Now, if Alice claims in future, she is eligible for only 20 rewards now instead of 25
Even though this epoch has ended, Alice rewards are still tied to current max rewards value in the contract.
Was this helpful?