ID:
88mph-1327
100 pts
Platform:
Type:
Category:
Method:
Data Sources:
Ethereum
Dapp
Lending
Rewards - Bug Bounties
Extended Method:
failure to update parameters with correct value
Days in Operation:
1074
(2.94 Years)
100 pts each
On September 25, 2022, 0xSzeth reported a high severity bug in 88mph’s vesting03 smart contract via Immunefi. This bug allowed some malicious users to drain the vesting contract of unclaimed MPH rewards (88mph tokens).
The whitehat discovered that some users were able to steal most of the 88mph tokens generated from yield in the vesting03 contract by depositing an asset and withdrawing the vested 88mph tokens immediately. In other words, users were able to withdraw deposits before the maturity date, receiving yield that they were not entitled to. This is because while depositing an asset, the vestRewardPerTokenPaid[vestID] was not updated with the current rewardPerToken.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.