changes balance of all intended actors in RewardControl contract but the actual money not deposited to Rewardcontrol contract

Question

changes balance of all intended actors in RewardControl contract but the actual money not deposited to Rewardcontrol contract

c4-bot-8 opened this issue a year ago · 0 comments

Lines of code

https://github.com/code-423n4/2024-08-phi/blob/8c0985f7a10b231f916a51af5d506dd6b0c54120/src/reward/PhiRewards.sol#L78

Vulnerability details

Impact

Only changes balances of actors, no actual money is sent from PhiRewards to RewardControl. So withdrawal doesn't happen in RewardControl if this contract has less money than expected.

Proof of Concept

This PhiNFT1155 contract sent transactions with msg.value to PhiRewards, this contract changes the balance of all intended actors in the RewardControl contract but the actual money was not deposited to the Rewardcontrol contract. It definitely an issue while withdrawing all this money, instead the handeRewardsAndGetValueSent function should send actual money to the RewardControl contract.

Tools Used

Manual review

Recommended Mitigation Steps

depositRewards function in PhiRewards should send all rewards to the RewardControl contract along with changing balances of actors

Assessed type

Token-Transfer